Re: HSTS Misuse
Patrick McManus <mcmanus@ducksong.com> Tue, 24 May 2016 13:50 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8BB6E12D634 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 24 May 2016 06:50:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.346
X-Spam-Level:
X-Spam-Status: No, score=-8.346 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.426, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sendgrid.me
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KC3tTvzHntfw for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 24 May 2016 06:50:14 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BAB7712D787 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 24 May 2016 06:50:12 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1b5CeN-0003C8-7J for ietf-http-wg-dist@listhub.w3.org; Tue, 24 May 2016 13:45:35 +0000
Resent-Date: Tue, 24 May 2016 13:45:35 +0000
Resent-Message-Id: <E1b5CeN-0003C8-7J@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <bounces+1568871-208f-ietf-http-wg=w3.org@sendgrid.net>) id 1b5CeH-0002qb-UO for ietf-http-wg@listhub.w3.org; Tue, 24 May 2016 13:45:29 +0000
Received: from o50314941.outbound-mail.sendgrid.net ([50.31.49.41]) by maggie.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA256:128) (Exim 4.80) (envelope-from <bounces+1568871-208f-ietf-http-wg=w3.org@sendgrid.net>) id 1b5CeG-00040c-Ct for ietf-http-wg@w3.org; Tue, 24 May 2016 13:45:29 +0000
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sendgrid.me; h=mime-version:in-reply-to:references:subject:from:to:cc:content-type; s=smtpapi; bh=U9Ud1gzteiu14nHdurcE04pgph4=; b=pO4QMHnj/2Mv73PS4L DdO/g6eZfvUrmCW0PhLDn8dMpptTaxXbt8QytiNFSbA1fv8lMaYnu3e9DojxcLjn U5Bp+CNL2F77atXj+YzR5gVw/SXeLZ4HDqCWS8LnK1hesAm0J/I5rEPwescoWuw/ z4v4R8UY6slh44HJl9Yh3C8TI=
Received: by filter0808p1mdw1.sendgrid.net with SMTP id filter0808p1mdw1.16616.57445AD624 2016-05-24 13:44:54.246524612 +0000 UTC
Received: from mail-vk0-f41.google.com (mail-vk0-f41.google.com [209.85.213.41]) by ismtpd0003p1iad1.sendgrid.net (SG) with ESMTP id DGI6Es8yQe2PV9PUEwqqsQ for <ietf-http-wg@w3.org>; Tue, 24 May 2016 13:44:54.120 +0000 (UTC)
Received: by mail-vk0-f41.google.com with SMTP id y2so21876165vka.3 for <ietf-http-wg@w3.org>; Tue, 24 May 2016 06:44:54 -0700 (PDT)
X-Gm-Message-State: ALyK8tJnPnAChkOhNINZOMMuLWKd9ttjjX6BY4AyYYgPXthA1Ec/vM3lFCWCT/QtCZLEw37sBkT2SgJKVI+oIw==
MIME-Version: 1.0
X-Received: by 10.31.70.193 with SMTP id t184mr2101917vka.123.1464097493777; Tue, 24 May 2016 06:44:53 -0700 (PDT)
Received: by 10.176.2.225 with HTTP; Tue, 24 May 2016 06:44:53 -0700 (PDT)
In-Reply-To: <CACHSkNq4JpETZvB+M4bJNq7CtGfizsfaNLNABO62D_YMHbOPKQ@mail.gmail.com>
References: <CAATNdDzB=Dgtqmyj5mB_VE24kvi9Nqt-6f2tdL0fJsZS0HypNQ@mail.gmail.com> <CACHSkNpx31zci8Kxv7LS85OJoJfuzC-hZx1RMzoiQ9-v4S=ObQ@mail.gmail.com> <CAATNdDwUpXAvpZp-=L-mif2zDSkMjA6VtKv_hrCQZJQBmt0Ctg@mail.gmail.com> <7301d13860eca437fc01c21ace8d322a@ultrawaves.net> <CACHSkNq4P3SPvE+XBWBPHLb5gaWcYNS0CFz8QNP+z7BUsM_TCA@mail.gmail.com> <CAATNdDxmM_-MfakHa6wguM0+aOtFmEr-yFaT+-yan0PRdSJCEg@mail.gmail.com> <CACHSkNq4JpETZvB+M4bJNq7CtGfizsfaNLNABO62D_YMHbOPKQ@mail.gmail.com>
Date: Tue, 24 May 2016 09:44:53 -0400
X-Gmail-Original-Message-ID: <CAOdDvNoNW_U24mrGDpvvvLTQGbT48zcTd8niquA7KefVb-zqXQ@mail.gmail.com>
Message-ID: <CAOdDvNoNW_U24mrGDpvvvLTQGbT48zcTd8niquA7KefVb-zqXQ@mail.gmail.com>
From: Patrick McManus <mcmanus@ducksong.com>
To: Philipp Junghannß <teamhydro55555@gmail.com>
Cc: Dennis Olvany <dennisolvany@gmail.com>, Solarus Lumenor <solarus@ultrawaves.fr>, HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="001a11489076088b5d053396c3f1"
X-SG-EID: YLWet4rakcOTMHWvPPwWbcsiUJbN1FCn0PHYd/Uujh6vlVVwSk9O5X5ceh9HR3iFBT/7MkUXETynoa /Z9UKNpovZdQTVpiAY4DCbC6WuD1ekcHlelsYQ4mjxvYrfsQ1BV9DoeZrwL2ids0if1qhT1LnbeIiN Ktxe2nDZDOkFxeZ8TU1BZywG+A5HZwEAZ364N0pXgS6sBlgRGrCwvmnqXJbRPiTqVeVdIVpO4St9mv 4=
Received-SPF: pass client-ip=50.31.49.41; envelope-from=bounces+1568871-208f-ietf-http-wg=w3.org@sendgrid.net; helo=o50314941.outbound-mail.sendgrid.net
X-W3C-Hub-Spam-Status: No, score=-6.1
X-W3C-Hub-Spam-Report: AWL=-0.201, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001, URIBL_GREY=0.424, W3C_AA=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: maggie.w3.org 1b5CeG-00040c-Ct e0e8ee0ecce351f1d8da82e156b4b7d1
X-Original-To: ietf-http-wg@w3.org
Subject: Re: HSTS Misuse
Archived-At: <http://www.w3.org/mid/CAOdDvNoNW_U24mrGDpvvvLTQGbT48zcTd8niquA7KefVb-zqXQ@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/31664
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
On Mon, May 23, 2016 at 6:37 AM, Philipp Junghannß <teamhydro55555@gmail.com > wrote: > also lets not forget that what will happen if we have an obnoxiouslyy long > HSTS and the domain gets sold? > A domain with a smaller bootstrap vulnerability against MITM would be more valuable to a sensible buyer. It's 2016 afterall - worrying about how to avoid https is needlessly swimming against the tide. I've actually wondered about a https only TLD for the same benefit.
- Re: HSTS Misuse Dennis Olvany
- HSTS Misuse Dennis Olvany
- Re: HSTS Misuse Philipp Junghannß
- Re: HSTS Misuse Solarus Lumenor
- Re: HSTS Misuse Solarus Lumenor
- Re: HSTS Misuse Philipp Junghannß
- Re: HSTS Misuse Philipp Junghannß
- Re: HSTS Misuse Dennis Olvany
- Re: HSTS Misuse Philipp Junghannß
- Re: HSTS Misuse Dennis Olvany
- Re: HSTS Misuse Yoav Nir
- Re: HSTS Misuse Yoav Nir
- Re: HSTS Misuse Patrick McManus