Re: HSTS Misuse
Yoav Nir <ynir.ietf@gmail.com> Tue, 24 May 2016 13:21 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC06612D78F for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 24 May 2016 06:21:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.447
X-Spam-Level:
X-Spam-Status: No, score=-8.447 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.426, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SKkhnOtmXVPB for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 24 May 2016 06:21:23 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 37BAA12D7EB for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 24 May 2016 06:16:22 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1b5C7N-0007Xp-IW for ietf-http-wg-dist@listhub.w3.org; Tue, 24 May 2016 13:11:29 +0000
Resent-Date: Tue, 24 May 2016 13:11:29 +0000
Resent-Message-Id: <E1b5C7N-0007Xp-IW@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <ynir.ietf@gmail.com>) id 1b5C7H-0007Wz-4E for ietf-http-wg@listhub.w3.org; Tue, 24 May 2016 13:11:23 +0000
Received: from mail-wm0-f52.google.com ([74.125.82.52]) by lisa.w3.org with esmtps (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <ynir.ietf@gmail.com>) id 1b5C7F-0003W0-Pw for ietf-http-wg@w3.org; Tue, 24 May 2016 13:11:22 +0000
Received: by mail-wm0-f52.google.com with SMTP id a136so73148031wme.0 for <ietf-http-wg@w3.org>; Tue, 24 May 2016 06:11:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=0NrlHbBIg/VDQZlZn+tsmXDx6pOkms59fgMBwSrgq0Q=; b=lXyzMz6nvZk+RfF52Vl4+ztwfj4+DokZz8fvfI2Ryoori+Se3QmJZGjxsh15sUQ4pO TrN4h64CjX81AilyFMMFeivRqCQU9d55V+Fp+ryzdAfPVUe6r0nJLifwaivA4FlKvKdR 9mJ6b/IqJyZG53otG2ud8fGlGk2pC3D0UP9EjqKnYZnuiKHV1vXBtjwfZMKJlxsLFb6O aWzMuKYm9Cixbn3zYUy2OhHHWPfjOdkxMvOVG60VXIvQmOutReLTXlEsxprLGWL3qFWD AhEicsujEZfjgqgfL3vb53v9ofXKEtmAfoFOgIE3oCWOhyYe+Vfwdso9Dl+7EGVC6rPL 2kmw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=0NrlHbBIg/VDQZlZn+tsmXDx6pOkms59fgMBwSrgq0Q=; b=N5FULqF5Rx3fZYmucncBdu5RmqpLqD9sG1mJy+ATjKd3CiYYf9AD0qIjrkmHxG/wJe +WDuMLLz7y2mzkqzVgzmvr17ONPnQ70mMAh7SDcyzp0RyI5ZbvOK1TBUJstHq8PG4FjD N5iRHMM6wLkJvO8ltU9BLZ8ncV08yoiDHIkiJ33jRNENwC6g14bDn1AK2BVfUry7YjI3 /NG0yhNI46b//VK0I/7Y2OLBQJUcSilMnQA89SeG9xjcwPh4tz4Yz0VS1A0D2CnDd+ED VDte8RDogJawhqZWwJS90+o/dGlsJmf3/UmjKfNy4c4B93GF1/cOjTiy5FzFQxJ197U8 DnKg==
X-Gm-Message-State: ALyK8tIuQyCcfNuUaEPb3OGW8+UZosxyAMSr55FUDLi8t9b0xDBH1q+akwyuUnxaOgLSEw==
X-Received: by 10.194.162.228 with SMTP id yd4mr4343688wjb.26.1464095455421; Tue, 24 May 2016 06:10:55 -0700 (PDT)
Received: from [172.24.251.9] (dyn32-131.checkpoint.com. [194.29.32.131]) by smtp.gmail.com with ESMTPSA id 131sm3662914wmu.17.2016.05.24.06.10.53 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 24 May 2016 06:10:54 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <CACHSkNq4JpETZvB+M4bJNq7CtGfizsfaNLNABO62D_YMHbOPKQ@mail.gmail.com>
Date: Tue, 24 May 2016 16:10:50 +0300
Cc: Dennis Olvany <dennisolvany@gmail.com>, Solarus Lumenor <solarus@ultrawaves.fr>, HTTP Working Group <ietf-http-wg@w3.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <3F5D7998-88FE-4F5B-AAFD-24AC13B08FCC@gmail.com>
References: <CAATNdDzB=Dgtqmyj5mB_VE24kvi9Nqt-6f2tdL0fJsZS0HypNQ@mail.gmail.com> <CACHSkNpx31zci8Kxv7LS85OJoJfuzC-hZx1RMzoiQ9-v4S=ObQ@mail.gmail.com> <CAATNdDwUpXAvpZp-=L-mif2zDSkMjA6VtKv_hrCQZJQBmt0Ctg@mail.gmail.com> <7301d13860eca437fc01c21ace8d322a@ultrawaves.net> <CACHSkNq4P3SPvE+XBWBPHLb5gaWcYNS0CFz8QNP+z7BUsM_TCA@mail.gmail.com> <CAATNdDxmM_-MfakHa6wguM0+aOtFmEr-yFaT+-yan0PRdSJCEg@mail.gmail.com> <CACHSkNq4JpETZvB+M4bJNq7CtGfizsfaNLNABO62D_YMHbOPKQ@mail.gmail.com>
To: Philipp Junghannß <teamhydro55555@gmail.com>
X-Mailer: Apple Mail (2.3124)
Received-SPF: pass client-ip=74.125.82.52; envelope-from=ynir.ietf@gmail.com; helo=mail-wm0-f52.google.com
X-W3C-Hub-Spam-Status: No, score=-5.4
X-W3C-Hub-Spam-Report: AWL=-0.732, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: lisa.w3.org 1b5C7F-0003W0-Pw 68e8a64af19d20132500df354228704d
X-Original-To: ietf-http-wg@w3.org
Subject: Re: HSTS Misuse
Archived-At: <http://www.w3.org/mid/3F5D7998-88FE-4F5B-AAFD-24AC13B08FCC@gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/31662
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
> On 23 May 2016, at 1:37 PM, Philipp Junghannß <teamhydro55555@gmail.com> wrote: > > also lets not forget that what will happen if we have an obnoxiouslyy long HSTS and the domain gets sold? have fun eating that one. > obviously the issue gets even better with HPKP. for HSTS you can can get around with letsencrypt and ANY other trusted certs but HPKP pins specific keys, in other words when for example the previous server/owner or whoever has pinned some EV CAs and the next owner is an individual, that person can forget it because (for some stupid reason) individuals cant get EV certs. At least for HPKP you cannot set obnoxiously long lifetimes, as the RFC recommends limiting max-age to ~60 days. Yoav
- Re: HSTS Misuse Dennis Olvany
- HSTS Misuse Dennis Olvany
- Re: HSTS Misuse Philipp Junghannß
- Re: HSTS Misuse Solarus Lumenor
- Re: HSTS Misuse Solarus Lumenor
- Re: HSTS Misuse Philipp Junghannß
- Re: HSTS Misuse Philipp Junghannß
- Re: HSTS Misuse Dennis Olvany
- Re: HSTS Misuse Philipp Junghannß
- Re: HSTS Misuse Dennis Olvany
- Re: HSTS Misuse Yoav Nir
- Re: HSTS Misuse Yoav Nir
- Re: HSTS Misuse Patrick McManus