Re: HSTS Misuse
Philipp Junghannß <teamhydro55555@gmail.com> Mon, 23 May 2016 10:33 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DAC4F12D1D0 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 23 May 2016 03:33:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.446
X-Spam-Level:
X-Spam-Status: No, score=-8.446 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.426, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pKf11fz7QaUN for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 23 May 2016 03:33:41 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BFCAA12D5FA for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 23 May 2016 03:33:41 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1b4n6s-0003gw-El for ietf-http-wg-dist@listhub.w3.org; Mon, 23 May 2016 10:29:18 +0000
Resent-Date: Mon, 23 May 2016 10:29:18 +0000
Resent-Message-Id: <E1b4n6s-0003gw-El@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <teamhydro55555@gmail.com>) id 1b4n6n-0003gA-RZ for ietf-http-wg@listhub.w3.org; Mon, 23 May 2016 10:29:13 +0000
Received: from mail-lf0-f42.google.com ([209.85.215.42]) by maggie.w3.org with esmtps (TLS1.2:RSA_ARCFOUR_SHA1:128) (Exim 4.80) (envelope-from <teamhydro55555@gmail.com>) id 1b4n6l-0007Iw-Tz for ietf-http-wg@w3.org; Mon, 23 May 2016 10:29:13 +0000
Received: by mail-lf0-f42.google.com with SMTP id e126so45472980lfg.2 for <ietf-http-wg@w3.org>; Mon, 23 May 2016 03:28:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Z4vyJre+qBTMq+z3QSiNe1KA6Xm7dH5KNmZP/xWCrsg=; b=IcncUJoGKcuU1pY9x5QNwGPSp2lV7UkbZPNOYpHSJwxaCNtLOSQPSNJM8z2iR7momV 4Qmpk6pen+g/chx420czDIN95hbKG1bj75Sal2DpjB7XDS3ZDzQcYo+8GZwAJsi8B46H ghZs0sxPg+mPUSfaJsQzGVydpCA3uqNL2yN/rDHEpf5XgDjVc/7B7dpPdO4f/fqUINEP JqOcbVjLUZZe82L5c+edhpgO3fLGfLCr5JX0DfLQ9OmxKHsW63z10cZvMGC8VSg4yhrz jkuyF8z07KmlupNRxqZiMOINEgBQ6D80LNmajrgUHUtd5pmSGNjAYpDZcnUl1iRPpcuT vqcQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Z4vyJre+qBTMq+z3QSiNe1KA6Xm7dH5KNmZP/xWCrsg=; b=jl1G5feNsVo0XA1J2jbIIjRAipIh9VystFS9EsVZ3VyH5HqukropqrtsGql6C/pwcX Z7UQEqCudVyxgg7ojpBqgCD9nhhFFCnlksjmfTYRi9W7dw0IEkTooGqeDBsTKetHDZXF Rhgps8zKqo3OuQiXbv1z7ZXTBJyxzdnti9umDALD+APmcASHghsbTBNuc2+XV2KaPC6P 4VQotjjvLu8vX3CgiltXZLkICcMrYblr4cmmHvXe0VPcg99Dx1Y1UXG8yO/m6Qcer3EL XarY27DI1jrZA7u33w0cQEsqn0XAgqkw50HZN6uCbid9qSfLvpdfZ6QrmWgjiPT8c/QG owRg==
X-Gm-Message-State: AOPr4FVozfQwhN6TkKWzeYc0URgEyUqcC+qC1Ow7gUAZ209jTqREOsDy9ksaejh5zMIyYWG9Botjb07Ge1rzxg==
X-Received: by 10.25.210.144 with SMTP id j138mr4822437lfg.77.1463999325123; Mon, 23 May 2016 03:28:45 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.25.148.74 with HTTP; Mon, 23 May 2016 03:28:05 -0700 (PDT)
In-Reply-To: <19a0a6cfdeac003c5e1c20c3360055ce@ultrawaves.net>
References: <CAATNdDzB=Dgtqmyj5mB_VE24kvi9Nqt-6f2tdL0fJsZS0HypNQ@mail.gmail.com> <CACHSkNpx31zci8Kxv7LS85OJoJfuzC-hZx1RMzoiQ9-v4S=ObQ@mail.gmail.com> <CAATNdDwUpXAvpZp-=L-mif2zDSkMjA6VtKv_hrCQZJQBmt0Ctg@mail.gmail.com> <7301d13860eca437fc01c21ace8d322a@ultrawaves.net> <19a0a6cfdeac003c5e1c20c3360055ce@ultrawaves.net>
From: Philipp Junghannß <teamhydro55555@gmail.com>
Date: Mon, 23 May 2016 12:28:05 +0200
Message-ID: <CACHSkNpkweC6oUrP-OpGSYu_RWLEFgVbePVZBR_hfTyPkV=MxQ@mail.gmail.com>
To: Solarus Lumenor <solarus@ultrawaves.fr>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="001a11472d32b9bd5605337fe71c"
Received-SPF: pass client-ip=209.85.215.42; envelope-from=teamhydro55555@gmail.com; helo=mail-lf0-f42.google.com
X-W3C-Hub-Spam-Status: No, score=-4.8
X-W3C-Hub-Spam-Report: AWL=-0.360, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: maggie.w3.org 1b4n6l-0007Iw-Tz 015b4e2a0fbdc855bb5db74e98503156
X-Original-To: ietf-http-wg@w3.org
Subject: Re: HSTS Misuse
Archived-At: <http://www.w3.org/mid/CACHSkNpkweC6oUrP-OpGSYu_RWLEFgVbePVZBR_hfTyPkV=MxQ@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/31658
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
well but HSTS on DNS level is in my opinion a similar thing like TLSA to HPKP and I think TLSA is a lot better because you can manage it a lot easier and quicker. also usually even on a provider. in many cases the owner has more control over the DNS than the HTTP headers. 2016-05-23 12:06 GMT+02:00 Solarus Lumenor <solarus@ultrawaves.fr>: > Le 2016-05-23 10:49, Solarus Lumenor a écrit : > > > As long as HSTS in DNS is not standardized or implemented, the domain > owner does not matters, it’s only a server problem. > > Sorry for this anwser. > > Assuming that HSTS is activated in the DNS zone, the problem is slightly > the same. > If you activate HSTS in a zone that serve HTTP, then the connexion will be > blocked. > > There is no other solution than educate users to best pratices and good > use case. > > Human problems, human solutions. :) > Solarus. > >
- Re: HSTS Misuse Dennis Olvany
- HSTS Misuse Dennis Olvany
- Re: HSTS Misuse Philipp Junghannß
- Re: HSTS Misuse Solarus Lumenor
- Re: HSTS Misuse Solarus Lumenor
- Re: HSTS Misuse Philipp Junghannß
- Re: HSTS Misuse Philipp Junghannß
- Re: HSTS Misuse Dennis Olvany
- Re: HSTS Misuse Philipp Junghannß
- Re: HSTS Misuse Dennis Olvany
- Re: HSTS Misuse Yoav Nir
- Re: HSTS Misuse Yoav Nir
- Re: HSTS Misuse Patrick McManus