Re: HSTS Misuse
Dennis Olvany <dennisolvany@gmail.com> Mon, 23 May 2016 10:38 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9631312D1AF for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 23 May 2016 03:38:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.446
X-Spam-Level:
X-Spam-Status: No, score=-8.446 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.426, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b5wmGi2k8Hg4 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 23 May 2016 03:38:05 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D2D912D0D1 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 23 May 2016 03:38:05 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1b4nBL-0000PM-An for ietf-http-wg-dist@listhub.w3.org; Mon, 23 May 2016 10:33:55 +0000
Resent-Date: Mon, 23 May 2016 10:33:55 +0000
Resent-Message-Id: <E1b4nBL-0000PM-An@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <dennisolvany@gmail.com>) id 1b4nBF-0000Na-JE for ietf-http-wg@listhub.w3.org; Mon, 23 May 2016 10:33:49 +0000
Received: from mail-vk0-f42.google.com ([209.85.213.42]) by lisa.w3.org with esmtps (TLS1.2:RSA_ARCFOUR_SHA1:128) (Exim 4.80) (envelope-from <dennisolvany@gmail.com>) id 1b4nBE-00063T-BM for ietf-http-wg@w3.org; Mon, 23 May 2016 10:33:49 +0000
Received: by mail-vk0-f42.google.com with SMTP id r140so39127265vkf.0 for <ietf-http-wg@w3.org>; Mon, 23 May 2016 03:33:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=8cvXLZnK7jOCXnXWFtoYXJuoHDCvLL3/s+JpPiOF1hE=; b=vbrTCmsWp9e+rIvKio3PJKHvCo64JdNVNWi86Pt3YuqIBzD/7DXl6YFrxCjCKJi9NC pmfRzFURnIiIWzGydY4amDFE0GABCBTGvMO9TLDKL0JOuVj5hVloR1TWxhhhAKdcTENs Yo0YfSo07BtdDAjPSqJUv/ePZHq+mgRQqdm9MAe2Cclx379OWGWCyXd6zqv648w7hiu+ 5i+lJx+OncxBdKuBZ/4Ac57pbAfxIxrlN7gzNuyDqpsxf+MAacK0YJnbZXq5hiLIzYY3 lDQOVG2JJyaAgLcxVo7anBlcT05ClCE7lN2gMv17OvQ75AVaX5JT36D23IjHhhH0i30g 89Lg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=8cvXLZnK7jOCXnXWFtoYXJuoHDCvLL3/s+JpPiOF1hE=; b=QLT8pOSQSkffrNpyRapirIhtlFS2d1Hje38YjEUBpSjGRumBcN9Y4q/zyeC5e5kosa ew5I2M3OAPZyh80kup+6GomO55b7EIzBWwpRCDUkFAkKkIZoNeFYmT6fjmPtMN2SCyPW vdsXtS3aB+QQ/gBImXaRUMnBV4WbRu2Uren83KU0Dd9i6ju2UmErCmq5FCbZ0E1ft3dJ yWW/8eq6cYjK3oF3T4O3YG739BFWx3Bv4Uqa74h9v/icyTycGyTDzk03SPHUjNekAhxz dcwV2lBPS/0UDmgsHVx9RssdhFzfVtgc0R1OYed65i20jq7PpN08WecRKXtBYCwozx+o L/6Q==
X-Gm-Message-State: AOPr4FX+azLFaoM9NPaHqMuPbi65zSkJZMxDBLYti4o45QJHHqUpv+HN0NWVg8m2cQBBRjs8i0ELACEMsq4H9Q==
X-Received: by 10.31.167.10 with SMTP id q10mr7860214vke.44.1463999602253; Mon, 23 May 2016 03:33:22 -0700 (PDT)
MIME-Version: 1.0
References: <CAATNdDzB=Dgtqmyj5mB_VE24kvi9Nqt-6f2tdL0fJsZS0HypNQ@mail.gmail.com> <CACHSkNpx31zci8Kxv7LS85OJoJfuzC-hZx1RMzoiQ9-v4S=ObQ@mail.gmail.com> <CAATNdDwUpXAvpZp-=L-mif2zDSkMjA6VtKv_hrCQZJQBmt0Ctg@mail.gmail.com> <7301d13860eca437fc01c21ace8d322a@ultrawaves.net> <CACHSkNq4P3SPvE+XBWBPHLb5gaWcYNS0CFz8QNP+z7BUsM_TCA@mail.gmail.com>
In-Reply-To: <CACHSkNq4P3SPvE+XBWBPHLb5gaWcYNS0CFz8QNP+z7BUsM_TCA@mail.gmail.com>
From: Dennis Olvany <dennisolvany@gmail.com>
Date: Mon, 23 May 2016 10:33:12 +0000
Message-ID: <CAATNdDxmM_-MfakHa6wguM0+aOtFmEr-yFaT+-yan0PRdSJCEg@mail.gmail.com>
To: Philipp Junghannß <teamhydro55555@gmail.com>, Solarus Lumenor <solarus@ultrawaves.fr>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="001a114266623e667a05337ff8d4"
Received-SPF: pass client-ip=209.85.213.42; envelope-from=dennisolvany@gmail.com; helo=mail-vk0-f42.google.com
X-W3C-Hub-Spam-Status: No, score=-5.5
X-W3C-Hub-Spam-Report: AWL=-0.815, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: lisa.w3.org 1b4nBE-00063T-BM ebc722de99013379ac73f51031778c78
X-Original-To: ietf-http-wg@w3.org
Subject: Re: HSTS Misuse
Archived-At: <http://www.w3.org/mid/CAATNdDxmM_-MfakHa6wguM0+aOtFmEr-yFaT+-yan0PRdSJCEg@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/31659
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
That is precisely the caveat, Philipp. If the server is not controlled by the domain owner then there is the possibility that an hsts implementation could impact the domain owner's ability to repurpose the domain for non-ssl service. On Mon, May 23, 2016 at 6:16 AM Philipp Junghannß <teamhydro55555@gmail.com> wrote: > a DNS based HSTS is a great Idea and when used with DNSSec it gets even > better because (obvious) nobody can try and forge headers. > > to address the issue of Dennis Olvan: The server (owned e.g. by some > provider) IS using HTTPS but uses HSTS without the permission of the domain > owner, which results in the scenario that he cannot use plaintext or mixed > when changing the server, or repurposing the domain. That's what I think he > means. > > 2016-05-2311:49 GMT+02:00 Solarus Lumenor <solarus@ultrawaves.fr>: > > Le 2016-05-22 15:13, Dennis Olvany a écrit : >> >> I suppose third-party HSTS may be a good way to describe the scenario I >> propose. To be more clear, let's say that the https server is provided by a >> web hosting company and their customer is the domain owner. >> >> Hello. >> >> In my opinion its a bad practice that should be avoided. >> >> For a domain given, a HTTPS server must only use HSTS if it serves >> fully-encrypted content. >> If it serves plain-text or mixed-content for a domain that uses HSTS, >> it’s an error. >> >> If you want to redirect HTTPS connexion to plain-text content then you >> MUST NOT use HSTS on all the servers or CDN serving this domain. >> If one or more Virtual Host activate HSTS on your domain, your clients >> will be stuck for a while. >> >> As long as HSTS in DNS is not standardized or implemented, the domain >> owner does not matters, it’s only a server problem. >> >> Solarus >> >> > >
- Re: HSTS Misuse Dennis Olvany
- HSTS Misuse Dennis Olvany
- Re: HSTS Misuse Philipp Junghannß
- Re: HSTS Misuse Solarus Lumenor
- Re: HSTS Misuse Solarus Lumenor
- Re: HSTS Misuse Philipp Junghannß
- Re: HSTS Misuse Philipp Junghannß
- Re: HSTS Misuse Dennis Olvany
- Re: HSTS Misuse Philipp Junghannß
- Re: HSTS Misuse Dennis Olvany
- Re: HSTS Misuse Yoav Nir
- Re: HSTS Misuse Yoav Nir
- Re: HSTS Misuse Patrick McManus