HSTS Misuse
Dennis Olvany <dennisolvany@gmail.com> Sun, 22 May 2016 13:50 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B076412D0FA for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 22 May 2016 06:50:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.446
X-Spam-Level:
X-Spam-Status: No, score=-8.446 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.426, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GyvfiA8aQaOG for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 22 May 2016 06:50:27 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 744FA12B01F for <httpbisa-archive-bis2Juki@lists.ietf.org>; Sun, 22 May 2016 06:50:27 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1b4Tha-0000eL-Pl for ietf-http-wg-dist@listhub.w3.org; Sun, 22 May 2016 13:45:54 +0000
Resent-Date: Sun, 22 May 2016 13:45:54 +0000
Resent-Message-Id: <E1b4Tha-0000eL-Pl@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <dennisolvany@gmail.com>) id 1b4ThT-0000bf-Rt for ietf-http-wg@listhub.w3.org; Sun, 22 May 2016 13:45:47 +0000
Received: from mail-vk0-f66.google.com ([209.85.213.66]) by lisa.w3.org with esmtps (TLS1.2:RSA_ARCFOUR_SHA1:128) (Exim 4.80) (envelope-from <dennisolvany@gmail.com>) id 1b4ThS-00036C-AD for ietf-http-wg@w3.org; Sun, 22 May 2016 13:45:47 +0000
Received: by mail-vk0-f66.google.com with SMTP id e126so22998460vkb.2 for <ietf-http-wg@w3.org>; Sun, 22 May 2016 06:45:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to; bh=uO4r10CCXoZUvWdFwRIA5hNsndMQ+DtheaplhI4Lz+4=; b=vGbN/597gSaLMhLe8khwr/7LCY+sTNraBlm1QhHV5JlpELmaf0Dt6Kk5cWe7uCLfib astsHUk/wpaQIqZXI4gSXHrs/CPldAlVH52cb8NTZK/7rzht8619asj9eG5bDE2CYysV hlroGRzYOAukCN3Ivrs+ZUe9QrX4lD0YMyZDKnDelCiafaf8q1Hv1s73lZUk8YtOvccP qWti8gtb7i/vsUxPkbH6/eoYu1L5iGPqc6XW/f4v6Lmv9EX1wE2Nvsn5SxPyoPWD+z7T mlvO2NcPNB09EknI6BySjcwNmIveMBjsBfhRQ7By6z08Hkl9FIzF5VxfoXWtWJWQ/8dV Odqg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=uO4r10CCXoZUvWdFwRIA5hNsndMQ+DtheaplhI4Lz+4=; b=I9yfFNTZr1Qb7p2pV44Qsgx9IvBLgLwfEd7q2nDQ/HfuGiBhwHusQx+sL7/Du4FTNH rb0LJ7NMXcoltfnQMmfXYHU3wb56XPNvyuws5OLc2kbhifANq9v9+4No0Wi8F0FIZUc7 nMcVgPfbT1HuV/GJO7EingugYnvpjMldX6yvvkxJ5VtVJi/l+hSar7o2I7/bs/bNTFZP dFP5fWfqv90IDRbiiwsxjTodlnbAJk9+5+eiWDBeHMxBhdVbfSZJClVLTVP2v2xbTUlz DuIxOOZM7BePyD7JjeDhfJau2HkOYONCyLqGsQhFAxkoyueZbTubb0KpQ5U6kDtP1t8t Q5zw==
X-Gm-Message-State: AOPr4FUbvzrCbExsyPyG0/EItI0N10qVEe4vm8H3GAVSS5rt6lTmGYS2Fh4mWlB7XnT9SBBWsS1dmyBz45aQkw==
X-Received: by 10.176.3.85 with SMTP id 79mr6924170uat.142.1463924719755; Sun, 22 May 2016 06:45:19 -0700 (PDT)
MIME-Version: 1.0
From: Dennis Olvany <dennisolvany@gmail.com>
Date: Sun, 22 May 2016 13:45:10 +0000
Message-ID: <CAATNdDzB=Dgtqmyj5mB_VE24kvi9Nqt-6f2tdL0fJsZS0HypNQ@mail.gmail.com>
To: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="001a113d152ce62a8405336e88b3"
Received-SPF: pass client-ip=209.85.213.66; envelope-from=dennisolvany@gmail.com; helo=mail-vk0-f66.google.com
X-W3C-Hub-Spam-Status: No, score=-5.5
X-W3C-Hub-Spam-Report: AWL=-0.815, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: lisa.w3.org 1b4ThS-00036C-AD 2c47711e31517ebd935e78c1fd03016a
X-Original-To: ietf-http-wg@w3.org
Subject: HSTS Misuse
Archived-At: <http://www.w3.org/mid/CAATNdDzB=Dgtqmyj5mB_VE24kvi9Nqt-6f2tdL0fJsZS0HypNQ@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/31652
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
There is a section in the RFC that addresses DoS, but I am interested in a particular case. Let's posit that a domain owner directs their domain to an https server that returns an HSTS header without the domain owner's knowledge or consent. If the domain owner then directs their domain to an http server, the site will be unreachable from browsers that are caching HSTS. Has there been any discussion or guidance regarding this scenario? When is the implementation of HSTS considered to be inappropriate?
- Re: HSTS Misuse Dennis Olvany
- HSTS Misuse Dennis Olvany
- Re: HSTS Misuse Philipp Junghannß
- Re: HSTS Misuse Solarus Lumenor
- Re: HSTS Misuse Solarus Lumenor
- Re: HSTS Misuse Philipp Junghannß
- Re: HSTS Misuse Philipp Junghannß
- Re: HSTS Misuse Dennis Olvany
- Re: HSTS Misuse Philipp Junghannß
- Re: HSTS Misuse Dennis Olvany
- Re: HSTS Misuse Yoav Nir
- Re: HSTS Misuse Yoav Nir
- Re: HSTS Misuse Patrick McManus