IETF Logo Mail Archive

Re: HSTS Misuse

Philipp Junghannß <teamhydro55555@gmail.com> Sun, 22 May 2016 14:08 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 95DA712D1A1 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 22 May 2016 07:08:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.446
X-Spam-Level:
X-Spam-Status: No, score=-8.446 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.426, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ne0ONU7Jg2Jj for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 22 May 2016 07:08:09 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 867EE12D19E for <httpbisa-archive-bis2Juki@lists.ietf.org>; Sun, 22 May 2016 07:08:09 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1b4Tys-00014H-CL for ietf-http-wg-dist@listhub.w3.org; Sun, 22 May 2016 14:03:46 +0000
Resent-Date: Sun, 22 May 2016 14:03:46 +0000
Resent-Message-Id: <E1b4Tys-00014H-CL@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <teamhydro55555@gmail.com>) id 1b4Tym-00012t-V9 for ietf-http-wg@listhub.w3.org; Sun, 22 May 2016 14:03:40 +0000
Received: from mail-lb0-f177.google.com ([209.85.217.177]) by lisa.w3.org with esmtps (TLS1.2:RSA_ARCFOUR_SHA1:128) (Exim 4.80) (envelope-from <teamhydro55555@gmail.com>) id 1b4Tyl-0003iD-OR for ietf-http-wg@w3.org; Sun, 22 May 2016 14:03:40 +0000
Received: by mail-lb0-f177.google.com with SMTP id k7so27425329lbm.0 for <ietf-http-wg@w3.org>; Sun, 22 May 2016 07:03:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=rnxF+ppajI2lXbdPZyl9WQkvEURUQ+nysDCnusytjAw=; b=AkJQCZuqZ6oSJUN8/rxnQF/oXXM7p/NFHcT79Hj33UcMf4JhOm0fEdovhcF0ytSt9k 7B+rh8XWAPEGM1VQxqxVs7i4YQdBcGsmgmihcnmsEJk3w9Ji+Z18ApQow1vw36vveIKh mr/KewH7y3Yu/8jt4hGITXYJzQMYqWYmUiggf9co3Ox58oOu6hAUrtJv1ouiHHSoZLyE /ZaOoC1HTOFeRipjPtVwAl5QEW/IB9TDTTLdR9tKvIBtUo+y+Z6avARYU95beZZorK17 hrfO1ReWCFXQszlAnNPJdeSftAaupuScftgGr3v+RV3F/uq55D3417V/sl2dKGnvZ2PJ vXug==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=rnxF+ppajI2lXbdPZyl9WQkvEURUQ+nysDCnusytjAw=; b=XtG1dizY40W3aHxP+/+8jRbMgdtEJ+qp0IRJzh/vsse03gVllT1TmkQii5yIhb0xAF etTuCjpIIQqmOjU0w1Up+FA3+xglNw95uI0DkTxsXYzhJ2t42gqHLnwFKcnX95H6Jeps oJmkC56VAqXgmFvNcqdSi0DeCEO3Bm/M7BVBZR/K/gSstByfgzXi7lCDOpH324MnxPiL K3YRWJmjBxy+7kpSd9f1GHN2HeFuE451M4QkTaoFzyPeS5R/eT03i2UfCnqLxF60YezL ncNeGTCkyL29cmo3tSfBbf+IS1XNf3jzgFWSjeLKzP+XW4JNWoPPIquynLbR/E2X4sx4 cDIA==
X-Gm-Message-State: AOPr4FVG/bTqnb5aLBFAC4UJ2RLhiFZM0G1Tm5JRL9dQF1vxzpjWOO8KLX+1woc0jcCsfsolEHu6fptCd9NpEA==
MIME-Version: 1.0
X-Received: by 10.112.12.65 with SMTP id w1mr4288126lbb.76.1463925792939; Sun, 22 May 2016 07:03:12 -0700 (PDT)
Received: by 10.25.148.74 with HTTP; Sun, 22 May 2016 07:03:12 -0700 (PDT)
Received: by 10.25.148.74 with HTTP; Sun, 22 May 2016 07:03:12 -0700 (PDT)
In-Reply-To: <CAATNdDzB=Dgtqmyj5mB_VE24kvi9Nqt-6f2tdL0fJsZS0HypNQ@mail.gmail.com>
References: <CAATNdDzB=Dgtqmyj5mB_VE24kvi9Nqt-6f2tdL0fJsZS0HypNQ@mail.gmail.com>
Date: Sun, 22 May 2016 16:03:12 +0200
Message-ID: <CACHSkNpx31zci8Kxv7LS85OJoJfuzC-hZx1RMzoiQ9-v4S=ObQ@mail.gmail.com>
From: Philipp Junghannß <teamhydro55555@gmail.com>
To: Dennis Olvany <dennisolvany@gmail.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="001a11c3b796dda79a05336ec82f"
Received-SPF: pass client-ip=209.85.217.177; envelope-from=teamhydro55555@gmail.com; helo=mail-lb0-f177.google.com
X-W3C-Hub-Spam-Status: No, score=-5.0
X-W3C-Hub-Spam-Report: AWL=-0.540, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: lisa.w3.org 1b4Tyl-0003iD-OR 5b77b64754bddd6ee9138896ae010254
X-Original-To: ietf-http-wg@w3.org
Subject: Re: HSTS Misuse
Archived-At: <http://www.w3.org/mid/CACHSkNpx31zci8Kxv7LS85OJoJfuzC-hZx1RMzoiQ9-v4S=ObQ@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/31653
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Talking about hsts misuse we should not forget the so-called hsts
supercookies, which obviously makes no sense from a technical perspective
but the point that hsts can be used for tracking still stands.
What to do about that?

Unlike cookies, hsts cannot be easily purged by the user.
Am 22.05.2016 15:51 schrieb "Dennis Olvany" <dennisolvany@gmail.com>:

> There is a section in the RFC that addresses DoS, but I am interested in a
> particular case. Let's posit that a domain owner directs their domain to an
> https server that returns an HSTS header without the domain owner's
> knowledge or consent. If the domain owner then directs their domain to an
> http server, the site will be unreachable from browsers that are caching
> HSTS. Has there been any discussion or guidance regarding this scenario?
> When is the implementation of HSTS considered to be inappropriate?
>

v2.23.0 | Report a Bug | By Email