Re: [HASMAT] HSTS Threat prevalence

Devdatta Akhawe <dev.akhawe@gmail.com> Fri, 06 August 2010 22:07 UTC

Return-Path: <dev.akhawe@gmail.com>
X-Original-To: hasmat@core3.amsl.com
Delivered-To: hasmat@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 81BB13A687D for <hasmat@core3.amsl.com>; Fri, 6 Aug 2010 15:07:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id akStf0LpWdgC for <hasmat@core3.amsl.com>; Fri, 6 Aug 2010 15:07:52 -0700 (PDT)
Received: from mail-qy0-f179.google.com (mail-qy0-f179.google.com [209.85.216.179]) by core3.amsl.com (Postfix) with ESMTP id 68A113A687C for <hasmat@ietf.org>; Fri, 6 Aug 2010 15:07:52 -0700 (PDT)
Received: by qyk8 with SMTP id 8so6492761qyk.10 for <hasmat@ietf.org>; Fri, 06 Aug 2010 15:08:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:mime-version:received:in-reply-to :references:from:date:message-id:subject:to:cc:content-type :content-transfer-encoding; bh=owCnkKIC53OZvNEgSTSppV4NV4yWdHHC3DNnQBnBqYE=; b=Qx1B0C1uDizcWt5lDlP6qHQuHructyL3mNx6zQlFV/baNjk/EC8PtEpyX8jXzoWqoE BjFJC68zBY0fTwVEuMChlkthaZP4/L+BaLjFHnOpTaNQBVtCCQ85PqLpB/xwR32Gf43t MiB7S51eyvBocGkr6YO4JJ7BtzCD4ejHPJa7Y=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; b=aKkxCL71hegLMZqRvJx2yi1AT37KjtLu/YfFhR7mvM3qRJibsEjQcwz6lKU3kJAo2b vixeXyqqx4KynTFjczuD2Qm3TO6cnmmCyPytFsX0HjZfMndbSjuQqpBBuiCAVVVzD7lv JVCzRlERkb8sdbeMtqz17iPik2Y6PX3XmisJk=
Received: by 10.224.80.203 with SMTP id u11mr6423795qak.127.1281132503249; Fri, 06 Aug 2010 15:08:23 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.229.2.19 with HTTP; Fri, 6 Aug 2010 15:08:03 -0700 (PDT)
In-Reply-To: <4C5C5F9D.3050107@extendedsubset.com>
References: <AANLkTimt60chhpjL=3+ds8aGsBp18_YTAZU0GWs-jD4V@mail.gmail.com> <5EE049BA3C6538409BBE6F1760F328ABEAD832B390@DEN-MEXMS-001.corp.ebay.com> <AANLkTinj7WcbyxPmpEfv0=ntPTnuCCDiP9qD2iyvH_aw@mail.gmail.com> <4C5C5F9D.3050107@extendedsubset.com>
From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Fri, 06 Aug 2010 15:08:03 -0700
Message-ID: <AANLkTinKeRh9qZggt_fc1KyrUM-MU3izaD1sW-EBwe-b@mail.gmail.com>
To: Marsh Ray <marsh@extendedsubset.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: "Steingruebl, Andy" <asteingruebl@paypal-inc.com>, IETF HASMAT list <hasmat@ietf.org>
Subject: Re: [HASMAT] HSTS Threat prevalence
X-BeenThere: hasmat@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: HTTP Application Security Minus Authentication and Transport <hasmat.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hasmat>, <mailto:hasmat-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hasmat>
List-Post: <mailto:hasmat@ietf.org>
List-Help: <mailto:hasmat-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hasmat>, <mailto:hasmat-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Aug 2010 22:07:53 -0000

>>
>> #1 would be good - for a reasonably representative sample (i.e. no
>> stories ' I once sat in a cafe and ... ').
>
> How about "I've sat in cafes on multiple occasions with professional
> pen-testers who told me that they employ these techniques quite effectively
> on a regular basis"?

I am not sure if people targeted by professional pentesters are a
"representative sample" of the general web user populace.

Maybe I have a very optimistic/naive view of things.


cheers
devdatta


>
> - Marsh
>
>
>> On 6 August 2010 11:52, Steingruebl, Andy<asteingruebl@paypal-inc.com>
>>  wrote:
>>>>
>>>> -----Original Message-----
>>>> From: hasmat-bounces@ietf.org [mailto:hasmat-bounces@ietf.org] On
>>>> Behalf Of Devdatta Akhawe
>>>> Sent: Friday, August 06, 2010 11:36 AM
>>>> To: IETF HASMAT list
>>>> Subject: [HASMAT] HSTS Threat prevalence
>>>>
>>>> Hi all
>>>>
>>>> The HSTS specification talks about possible attacks that could be
>>>> prevented
>>>> by the use of HSTS. Do we have any data that suggests these attacks are
>>>> actually a concern / being used by attackers anywhere ? I couldn't find
>>>> any
>>>> citation to this effect in the specification.
>>>
>>> We are actively doing research in this area, but we don't know of any
>>> published work at this point.
>>>
>>> For the wider audience - do you want to know:
>>> 1. Whether this is occurring
>>> 2. Its overall frequency/distribution
>>> 3. Both
>>>
>>> Which of these would be most compelling?  On a percentage basis the
>>> number of connections being observed by passive network attackers is
>>> probably very small.  That doesn't by itself mean to should get rid of TLS.
>>>
>>> Me - I initially want the answer to #1, and then to #2.
>>>
>>> - Andy
>>>
>> _______________________________________________
>> HASMAT mailing list
>> HASMAT@ietf.org
>> https://www.ietf.org/mailman/listinfo/hasmat
>
>