Re: HSTS Misuse

Yoav Nir <> Tue, 24 May 2016 13:27 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8F12312D7FB for <>; Tue, 24 May 2016 06:27:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -8.447
X-Spam-Status: No, score=-8.447 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.426, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id MWLgBUKcdK57 for <>; Tue, 24 May 2016 06:27:04 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 4C3C612D7DC for <>; Tue, 24 May 2016 06:22:20 -0700 (PDT)
Received: from lists by with local (Exim 4.80) (envelope-from <>) id 1b5CDQ-0005cv-7H for; Tue, 24 May 2016 13:17:44 +0000
Resent-Date: Tue, 24 May 2016 13:17:44 +0000
Resent-Message-Id: <>
Received: from ([]) by with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <>) id 1b5CDL-0005bV-Fo for; Tue, 24 May 2016 13:17:39 +0000
Received: from ([]) by with esmtps (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <>) id 1b5CDK-00048D-2e for; Tue, 24 May 2016 13:17:38 +0000
Received: by with SMTP id a136so73469264wme.0 for <>; Tue, 24 May 2016 06:17:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=fKrVDg59aDPI6u0uQoKbfwIBMWog2SNEcQmIxxu1im0=; b=cLxFfQ82s7cYPS59DvDGIG381Qb8OQ16ma/0SBtAtw9wT7yHI9TeL12IehX1gwRAli 0IkPsPo7SGurAUCGILZJ7S58UhpJu59kaHTJn0jkWFnFsS1gWvYmrQsvX8y2sY+A4bAo pzp0xFq8WD49aRc2tX//5rDoHOyYVAEuaroeVvRjuWBNcvaTtWXePWG02dFrISkzE/w6 EGZKRz7cMLvQF6cq/eivIdGL9So4OXSPUibtjWG5gSd3IWBrUUJFfYfzezZCEBhFaCsv oz1FaiKB0MIaOGWXoyUxRhwOF+3vPJQ0SUBFkqKHas/e2TVa1puzEDKBERadc7v0K55k ncYg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=fKrVDg59aDPI6u0uQoKbfwIBMWog2SNEcQmIxxu1im0=; b=A4T04HKHoTArZpeY2bE32WCIPs2s8SRPPDx/885klw1wGfrjHkT+JK6Uetm47wDAHj 5SKCN8hS3mPnD+tT2ZEzZxus3Ow+QtH1ygXp5vhwW78A/pUbg7MBpDJoOBO1a5X9SSJd D5fQ4J5iG5vKk6L/T0tLlk1O8L0T859IO2HLCMY44tBU9auRlkBzOVNegaUYrB2Ec0bC 8HlyBKjqsojp/SJhN+MS79t4qeAfU3XFO8lOjOnJYJYB7wOoTTHLlkb2x4uGjI8QgiIy /cTfWu3WEkqcrcjswKkgfOTfhftaGIKuJI4g2v5N8NAPGClAD1c+sDJ5L1XL/7TjFKib KlSA==
X-Gm-Message-State: AOPr4FVL7MaJeRL5ejIskpgPNVGROpj3rj5ddJcx7qy/LydJ90LzhNxLY2bEq8sPnBYnuw==
X-Received: by with SMTP id u19mr23053780wmu.98.1464095831688; Tue, 24 May 2016 06:17:11 -0700 (PDT)
Received: from [] ( []) by with ESMTPSA id 124sm6526672wml.12.2016. (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 24 May 2016 06:17:11 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Yoav Nir <>
In-Reply-To: <>
Date: Tue, 24 May 2016 16:17:09 +0300
Cc: Philipp Junghannß <>, Solarus Lumenor <>, HTTP Working Group <>
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <> <> <> <> <> <>
To: Dennis Olvany <>
X-Mailer: Apple Mail (2.3124)
Received-SPF: pass client-ip=;;
X-W3C-Hub-Spam-Status: No, score=-5.4
X-W3C-Hub-Spam-Report: AWL=-0.710, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: 1b5CDK-00048D-2e 46b8c8eac35a4f3d32c250c587e867e9
Subject: Re: HSTS Misuse
Archived-At: <>
X-Mailing-List: <> archive/latest/31663
Precedence: list
List-Id: <>
List-Help: <>
List-Post: <>
List-Unsubscribe: <>

On 23 May 2016, at 2:03 PM, Dennis Olvany <> wrote:

> For lack of some prior discussion of this caveat, it would be great to hear some opinions. While it is possible for a server provider to give the domain owner the choice to enable hsts, I have concluded that it may be best for a 3rd party to never implement hsts on a domain owner's behalf. This would altogether prevent the caveat for an unwitting domain owner.

Sending an HSTS header makes a statement that this domain (possibly including subdomains) is HTTPS-only for up to max-age.

If I’m the administrator for the service and I’m configuring my own server then yes, I can make this statement. 

If I’m providing the server as a service, whether I’m a CDN or just a hosting service, I would have to have a long talk with the customer to make sure they understand the benefits and implications (“If we set this header, it’s protecting you against some kinds of SSL stripping attacks, but you can’t revert to HTTP at will: you’ll have to wait for so many days”)  I don’t think this matches the way of doing business for most CDNs and hosting services, except for their very large customers.