Re: HSTS Misuse
Philipp Junghannß <teamhydro55555@gmail.com> Mon, 23 May 2016 10:15 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B0A5212D09A for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 23 May 2016 03:15:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.446
X-Spam-Level:
X-Spam-Status: No, score=-8.446 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.426, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1LZsXyr0vld4 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 23 May 2016 03:15:22 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 280B012B025 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 23 May 2016 03:15:22 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1b4mpX-0001Ap-A2 for ietf-http-wg-dist@listhub.w3.org; Mon, 23 May 2016 10:11:23 +0000
Resent-Date: Mon, 23 May 2016 10:11:23 +0000
Resent-Message-Id: <E1b4mpX-0001Ap-A2@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <teamhydro55555@gmail.com>) id 1b4mpR-000190-OL for ietf-http-wg@listhub.w3.org; Mon, 23 May 2016 10:11:17 +0000
Received: from mail-lf0-f46.google.com ([209.85.215.46]) by maggie.w3.org with esmtps (TLS1.2:RSA_ARCFOUR_SHA1:128) (Exim 4.80) (envelope-from <teamhydro55555@gmail.com>) id 1b4mpQ-0006Mc-El for ietf-http-wg@w3.org; Mon, 23 May 2016 10:11:17 +0000
Received: by mail-lf0-f46.google.com with SMTP id e131so22288156lfb.0 for <ietf-http-wg@w3.org>; Mon, 23 May 2016 03:10:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=QMZcaoprBbUPqmRY45iO5AFM49F6mEJS1laqVE9Zp+o=; b=vmlJBn3udd/nA04g5PEbAANjaBIjopkq2nnvOrL5Ep7KDxW8OEvapIVEuovleqrtsj 1Cz4WrMdF7gcFFxrXwShEKPFZz00zMi2wCN/HaEttjkzwh7lKJIlOi2PpL9ZtPO5nXnK vJR0RHR97Tin1YetdvmH0Od365rqkwzJ+RU/faUirWwPBDfOU68xjEqh36AefNkSe0qM f2FDf4QrCDWdQa7Lnjz1KzGhI/l+lMUdkH8V+dY3VrN3zAkqGiR/kAi1knXt8zTYwpUr x4D2m2YPs4KqvlcHOTVmppCZdrhKo6gSID2iumOdX9IUDQG/S0bZcWBR1sVbR2XHogEX 7BMg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=QMZcaoprBbUPqmRY45iO5AFM49F6mEJS1laqVE9Zp+o=; b=eOTjKijjNVFMafkMT/H8V9nvIxfi3s9eMXrAWRP2akwaS9xee2H79umsT54P8gomif IgYvbv1e7X+P71RH3O4z8WCTzZRPwIrnd6Jb/9dYWLkUnRFnz3zA1e/dD7oUUzLQbDge PuH4YAZWgi35zE2weqETtlV0mTibRgLxHER6DbOzhv3r4SMSFUsuCN92UxYNqBTUOUBh 7OHOXjlCrroNgmviny/Rne962jhtf5pxEHRumwjh8bU4xdOz8Bojb3iV/L1onEFi+uF1 vDE3D35ySizl3R03hhBeIGom6D+c+HnuocDb8W1RCksQz81MnKM4GDz83h19CE1I6DFQ HG/A==
X-Gm-Message-State: AOPr4FV8B8E6ghB/2KC7vPyhNrFTFev362LOhX5fXUHn0Ui9dyEPSseaFCGNw0zSdATAqSGXaVfZE7uByeEjCg==
X-Received: by 10.25.218.70 with SMTP id r67mr5598203lfg.50.1463998249539; Mon, 23 May 2016 03:10:49 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.25.148.74 with HTTP; Mon, 23 May 2016 03:10:10 -0700 (PDT)
In-Reply-To: <7301d13860eca437fc01c21ace8d322a@ultrawaves.net>
References: <CAATNdDzB=Dgtqmyj5mB_VE24kvi9Nqt-6f2tdL0fJsZS0HypNQ@mail.gmail.com> <CACHSkNpx31zci8Kxv7LS85OJoJfuzC-hZx1RMzoiQ9-v4S=ObQ@mail.gmail.com> <CAATNdDwUpXAvpZp-=L-mif2zDSkMjA6VtKv_hrCQZJQBmt0Ctg@mail.gmail.com> <7301d13860eca437fc01c21ace8d322a@ultrawaves.net>
From: Philipp Junghannß <teamhydro55555@gmail.com>
Date: Mon, 23 May 2016 12:10:10 +0200
Message-ID: <CACHSkNq4P3SPvE+XBWBPHLb5gaWcYNS0CFz8QNP+z7BUsM_TCA@mail.gmail.com>
To: Solarus Lumenor <solarus@ultrawaves.fr>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="001a114026189da1f705337fa733"
Received-SPF: pass client-ip=209.85.215.46; envelope-from=teamhydro55555@gmail.com; helo=mail-lf0-f46.google.com
X-W3C-Hub-Spam-Status: No, score=-5.0
X-W3C-Hub-Spam-Report: AWL=-0.540, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: maggie.w3.org 1b4mpQ-0006Mc-El 40add413842df04d29c36704e5d7bae0
X-Original-To: ietf-http-wg@w3.org
Subject: Re: HSTS Misuse
Archived-At: <http://www.w3.org/mid/CACHSkNq4P3SPvE+XBWBPHLb5gaWcYNS0CFz8QNP+z7BUsM_TCA@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/31657
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
a DNS based HSTS is a great Idea and when used with DNSSec it gets even better because (obvious) nobody can try and forge headers. to address the issue of Dennis Olvan: The server (owned e.g. by some provider) IS using HTTPS but uses HSTS without the permission of the domain owner, which results in the scenario that he cannot use plaintext or mixed when changing the server, or repurposing the domain. That's what I think he means. 2016-05-2311:49 GMT+02:00 Solarus Lumenor <solarus@ultrawaves.fr>: > Le 2016-05-22 15:13, Dennis Olvany a écrit : > > I suppose third-party HSTS may be a good way to describe the scenario I > propose. To be more clear, let's say that the https server is provided by a > web hosting company and their customer is the domain owner. > > Hello. > > In my opinion its a bad practice that should be avoided. > > For a domain given, a HTTPS server must only use HSTS if it serves > fully-encrypted content. > If it serves plain-text or mixed-content for a domain that uses HSTS, it’s > an error. > > If you want to redirect HTTPS connexion to plain-text content then you > MUST NOT use HSTS on all the servers or CDN serving this domain. > If one or more Virtual Host activate HSTS on your domain, your clients > will be stuck for a while. > > As long as HSTS in DNS is not standardized or implemented, the domain > owner does not matters, it’s only a server problem. > > Solarus > >
- Re: HSTS Misuse Dennis Olvany
- HSTS Misuse Dennis Olvany
- Re: HSTS Misuse Philipp Junghannß
- Re: HSTS Misuse Solarus Lumenor
- Re: HSTS Misuse Solarus Lumenor
- Re: HSTS Misuse Philipp Junghannß
- Re: HSTS Misuse Philipp Junghannß
- Re: HSTS Misuse Dennis Olvany
- Re: HSTS Misuse Philipp Junghannß
- Re: HSTS Misuse Dennis Olvany
- Re: HSTS Misuse Yoav Nir
- Re: HSTS Misuse Yoav Nir
- Re: HSTS Misuse Patrick McManus