Re: HSTS Misuse
Yoav Nir <ynir.ietf@gmail.com> Tue, 24 May 2016 13:27 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8F12312D7FB for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 24 May 2016 06:27:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.447
X-Spam-Level:
X-Spam-Status: No, score=-8.447 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.426, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MWLgBUKcdK57 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 24 May 2016 06:27:04 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4C3C612D7DC for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 24 May 2016 06:22:20 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1b5CDQ-0005cv-7H for ietf-http-wg-dist@listhub.w3.org; Tue, 24 May 2016 13:17:44 +0000
Resent-Date: Tue, 24 May 2016 13:17:44 +0000
Resent-Message-Id: <E1b5CDQ-0005cv-7H@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <ynir.ietf@gmail.com>) id 1b5CDL-0005bV-Fo for ietf-http-wg@listhub.w3.org; Tue, 24 May 2016 13:17:39 +0000
Received: from mail-wm0-f49.google.com ([74.125.82.49]) by lisa.w3.org with esmtps (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <ynir.ietf@gmail.com>) id 1b5CDK-00048D-2e for ietf-http-wg@w3.org; Tue, 24 May 2016 13:17:38 +0000
Received: by mail-wm0-f49.google.com with SMTP id a136so73469264wme.0 for <ietf-http-wg@w3.org>; Tue, 24 May 2016 06:17:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=fKrVDg59aDPI6u0uQoKbfwIBMWog2SNEcQmIxxu1im0=; b=cLxFfQ82s7cYPS59DvDGIG381Qb8OQ16ma/0SBtAtw9wT7yHI9TeL12IehX1gwRAli 0IkPsPo7SGurAUCGILZJ7S58UhpJu59kaHTJn0jkWFnFsS1gWvYmrQsvX8y2sY+A4bAo pzp0xFq8WD49aRc2tX//5rDoHOyYVAEuaroeVvRjuWBNcvaTtWXePWG02dFrISkzE/w6 EGZKRz7cMLvQF6cq/eivIdGL9So4OXSPUibtjWG5gSd3IWBrUUJFfYfzezZCEBhFaCsv oz1FaiKB0MIaOGWXoyUxRhwOF+3vPJQ0SUBFkqKHas/e2TVa1puzEDKBERadc7v0K55k ncYg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=fKrVDg59aDPI6u0uQoKbfwIBMWog2SNEcQmIxxu1im0=; b=A4T04HKHoTArZpeY2bE32WCIPs2s8SRPPDx/885klw1wGfrjHkT+JK6Uetm47wDAHj 5SKCN8hS3mPnD+tT2ZEzZxus3Ow+QtH1ygXp5vhwW78A/pUbg7MBpDJoOBO1a5X9SSJd D5fQ4J5iG5vKk6L/T0tLlk1O8L0T859IO2HLCMY44tBU9auRlkBzOVNegaUYrB2Ec0bC 8HlyBKjqsojp/SJhN+MS79t4qeAfU3XFO8lOjOnJYJYB7wOoTTHLlkb2x4uGjI8QgiIy /cTfWu3WEkqcrcjswKkgfOTfhftaGIKuJI4g2v5N8NAPGClAD1c+sDJ5L1XL/7TjFKib KlSA==
X-Gm-Message-State: AOPr4FVL7MaJeRL5ejIskpgPNVGROpj3rj5ddJcx7qy/LydJ90LzhNxLY2bEq8sPnBYnuw==
X-Received: by 10.28.46.19 with SMTP id u19mr23053780wmu.98.1464095831688; Tue, 24 May 2016 06:17:11 -0700 (PDT)
Received: from [172.24.251.9] (dyn32-131.checkpoint.com. [194.29.32.131]) by smtp.gmail.com with ESMTPSA id 124sm6526672wml.12.2016.05.24.06.17.10 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 24 May 2016 06:17:11 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <CAATNdDxy0aYvdc=KB3xgonoQOA-33zv2n1Y2U+9J7_teAye0ng@mail.gmail.com>
Date: Tue, 24 May 2016 16:17:09 +0300
Cc: Philipp Junghannß <teamhydro55555@gmail.com>, Solarus Lumenor <solarus@ultrawaves.fr>, HTTP Working Group <ietf-http-wg@w3.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <95D4CD18-FF6A-4FA5-AB42-8FEC201A86D8@gmail.com>
References: <CAATNdDzB=Dgtqmyj5mB_VE24kvi9Nqt-6f2tdL0fJsZS0HypNQ@mail.gmail.com> <CACHSkNpx31zci8Kxv7LS85OJoJfuzC-hZx1RMzoiQ9-v4S=ObQ@mail.gmail.com> <CAATNdDwUpXAvpZp-=L-mif2zDSkMjA6VtKv_hrCQZJQBmt0Ctg@mail.gmail.com> <7301d13860eca437fc01c21ace8d322a@ultrawaves.net> <CACHSkNq4P3SPvE+XBWBPHLb5gaWcYNS0CFz8QNP+z7BUsM_TCA@mail.gmail.com> <CAATNdDxmM_-MfakHa6wguM0+aOtFmEr-yFaT+-yan0PRdSJCEg@mail.gmail.com> <CACHSkNq4JpETZvB+M4bJNq7CtGfizsfaNLNABO62D_YMHbOPKQ@mail.gmail.com> <CAATNdDxy0aYvdc=KB3xgonoQOA-33zv2n1Y2U+9J7_teAye0ng@mail.gmail.com>
To: Dennis Olvany <dennisolvany@gmail.com>
X-Mailer: Apple Mail (2.3124)
Received-SPF: pass client-ip=74.125.82.49; envelope-from=ynir.ietf@gmail.com; helo=mail-wm0-f49.google.com
X-W3C-Hub-Spam-Status: No, score=-5.4
X-W3C-Hub-Spam-Report: AWL=-0.710, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: lisa.w3.org 1b5CDK-00048D-2e 46b8c8eac35a4f3d32c250c587e867e9
X-Original-To: ietf-http-wg@w3.org
Subject: Re: HSTS Misuse
Archived-At: <http://www.w3.org/mid/95D4CD18-FF6A-4FA5-AB42-8FEC201A86D8@gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/31663
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
On 23 May 2016, at 2:03 PM, Dennis Olvany <dennisolvany@gmail.com> wrote: > For lack of some prior discussion of this caveat, it would be great to hear some opinions. While it is possible for a server provider to give the domain owner the choice to enable hsts, I have concluded that it may be best for a 3rd party to never implement hsts on a domain owner's behalf. This would altogether prevent the caveat for an unwitting domain owner. Sending an HSTS header makes a statement that this domain (possibly including subdomains) is HTTPS-only for up to max-age. If I’m the administrator for the service and I’m configuring my own server then yes, I can make this statement. If I’m providing the server as a service, whether I’m a CDN or just a hosting service, I would have to have a long talk with the customer to make sure they understand the benefits and implications (“If we set this header, it’s protecting you against some kinds of SSL stripping attacks, but you can’t revert to HTTP at will: you’ll have to wait for so many days”) I don’t think this matches the way of doing business for most CDNs and hosting services, except for their very large customers. Yoav
- Re: HSTS Misuse Dennis Olvany
- HSTS Misuse Dennis Olvany
- Re: HSTS Misuse Philipp Junghannß
- Re: HSTS Misuse Solarus Lumenor
- Re: HSTS Misuse Solarus Lumenor
- Re: HSTS Misuse Philipp Junghannß
- Re: HSTS Misuse Philipp Junghannß
- Re: HSTS Misuse Dennis Olvany
- Re: HSTS Misuse Philipp Junghannß
- Re: HSTS Misuse Dennis Olvany
- Re: HSTS Misuse Yoav Nir
- Re: HSTS Misuse Yoav Nir
- Re: HSTS Misuse Patrick McManus