Re: [HASMAT] HSTS Threat prevalence
Marsh Ray <marsh@extendedsubset.com> Fri, 06 August 2010 19:16 UTC
Return-Path: <marsh@extendedsubset.com>
X-Original-To: hasmat@core3.amsl.com
Delivered-To: hasmat@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 85A873A6A6B for <hasmat@core3.amsl.com>; Fri, 6 Aug 2010 12:16:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.981
X-Spam-Level:
X-Spam-Status: No, score=-1.981 tagged_above=-999 required=5 tests=[AWL=0.618, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 93RsfhDcHR5B for <hasmat@core3.amsl.com>; Fri, 6 Aug 2010 12:16:17 -0700 (PDT)
Received: from mho-02-ewr.mailhop.org (mho-02-ewr.mailhop.org [204.13.248.72]) by core3.amsl.com (Postfix) with ESMTP id 9533C3A6878 for <hasmat@ietf.org>; Fri, 6 Aug 2010 12:16:17 -0700 (PDT)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-02-ewr.mailhop.org with esmtpa (Exim 4.68) (envelope-from <marsh@extendedsubset.com>) id 1OhSPR-000OS8-0V; Fri, 06 Aug 2010 19:16:49 +0000
Received: from [192.168.1.15] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id 33372604B; Fri, 6 Aug 2010 19:16:47 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX1+0gMymr72K55YavUiLpE08AECDpXT3moQ=
Message-ID: <4C5C5F9D.3050107@extendedsubset.com>
Date: Fri, 06 Aug 2010 14:16:45 -0500
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.11) Gecko/20100713 Thunderbird/3.0.6
MIME-Version: 1.0
To: Devdatta Akhawe <dev.akhawe@gmail.com>
References: <AANLkTimt60chhpjL=3+ds8aGsBp18_YTAZU0GWs-jD4V@mail.gmail.com> <5EE049BA3C6538409BBE6F1760F328ABEAD832B390@DEN-MEXMS-001.corp.ebay.com> <AANLkTinj7WcbyxPmpEfv0=ntPTnuCCDiP9qD2iyvH_aw@mail.gmail.com>
In-Reply-To: <AANLkTinj7WcbyxPmpEfv0=ntPTnuCCDiP9qD2iyvH_aw@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: "Steingruebl, Andy" <asteingruebl@paypal-inc.com>, IETF HASMAT list <hasmat@ietf.org>
Subject: Re: [HASMAT] HSTS Threat prevalence
X-BeenThere: hasmat@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: HTTP Application Security Minus Authentication and Transport <hasmat.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hasmat>, <mailto:hasmat-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hasmat>
List-Post: <mailto:hasmat@ietf.org>
List-Help: <mailto:hasmat-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hasmat>, <mailto:hasmat-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Aug 2010 19:16:18 -0000
On 08/06/2010 02:09 PM, Devdatta Akhawe wrote: > #1 would be good - for a reasonably representative sample (i.e. no > stories ' I once sat in a cafe and ... '). How about "I've sat in cafes on multiple occasions with professional pen-testers who told me that they employ these techniques quite effectively on a regular basis"? - Marsh > On 6 August 2010 11:52, Steingruebl, Andy<asteingruebl@paypal-inc.com> wrote: >>> -----Original Message----- >>> From: hasmat-bounces@ietf.org [mailto:hasmat-bounces@ietf.org] On >>> Behalf Of Devdatta Akhawe >>> Sent: Friday, August 06, 2010 11:36 AM >>> To: IETF HASMAT list >>> Subject: [HASMAT] HSTS Threat prevalence >>> >>> Hi all >>> >>> The HSTS specification talks about possible attacks that could be prevented >>> by the use of HSTS. Do we have any data that suggests these attacks are >>> actually a concern / being used by attackers anywhere ? I couldn't find any >>> citation to this effect in the specification. >> >> We are actively doing research in this area, but we don't know of any published work at this point. >> >> For the wider audience - do you want to know: >> 1. Whether this is occurring >> 2. Its overall frequency/distribution >> 3. Both >> >> Which of these would be most compelling? On a percentage basis the number of connections being observed by passive network attackers is probably very small. That doesn't by itself mean to should get rid of TLS. >> >> Me - I initially want the answer to #1, and then to #2. >> >> - Andy >> > _______________________________________________ > HASMAT mailing list > HASMAT@ietf.org > https://www.ietf.org/mailman/listinfo/hasmat
- [HASMAT] HSTS Threat prevalence Devdatta Akhawe
- Re: [HASMAT] HSTS Threat prevalence Devdatta Akhawe
- Re: [HASMAT] HSTS Threat prevalence Marsh Ray
- Re: [HASMAT] HSTS Threat prevalence Devdatta Akhawe
- Re: [HASMAT] HSTS Threat prevalence Devdatta Akhawe
- Re: [HASMAT] HSTS Threat prevalence Steingruebl, Andy
- Re: [HASMAT] HSTS Threat prevalence Steingruebl, Andy
- Re: [HASMAT] HSTS Threat prevalence Steingruebl, Andy