[websec] [HSTS] Contradiction between sections 8.1 and 11.3 of RFC 6797?

Stephane Bortzmeyer <bortzmeyer@nic.fr> Wed, 17 December 2014 13:57 UTC

Return-Path: <bortzmeyer@nic.fr>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF8321A8A8B for <websec@ietfa.amsl.com>; Wed, 17 Dec 2014 05:57:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.56
X-Spam-Level:
X-Spam-Status: No, score=-1.56 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_FR=0.35, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j1Ytn4tJ_3X1 for <websec@ietfa.amsl.com>; Wed, 17 Dec 2014 05:57:31 -0800 (PST)
Received: from mx4.nic.fr (mx4.nic.fr [IPv6:2001:67c:2218:2::4:12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4B2D51A1AA4 for <websec@ietf.org>; Wed, 17 Dec 2014 05:57:31 -0800 (PST)
Received: from mx4.nic.fr (localhost [127.0.0.1]) by mx4.nic.fr (Postfix) with SMTP id B733A280285; Wed, 17 Dec 2014 14:57:29 +0100 (CET)
Received: from relay1.nic.fr (relay1.nic.fr [192.134.4.162]) by mx4.nic.fr (Postfix) with ESMTP id B1359280151; Wed, 17 Dec 2014 14:57:29 +0100 (CET)
Received: from bortzmeyer.nic.fr (unknown [IPv6:2001:67c:1348:7::86:133]) by relay1.nic.fr (Postfix) with ESMTP id AE53C4C007C; Wed, 17 Dec 2014 14:56:59 +0100 (CET)
Date: Wed, 17 Dec 2014 14:56:59 +0100
From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
To: websec@ietf.org, Jeff.Hodges@PayPal.com, collin.jackson@sv.cmu.edu, ietf@adambarth.com
Message-ID: <20141217135659.GA4781@nic.fr>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-Operating-System: Debian GNU/Linux 8.0
X-Kernel: Linux 3.16.0-4-686-pae i686
Organization: NIC France
X-URL: http://www.nic.fr/
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/2xzc5RlpZIpC90zdR0YCZezWS_o
X-Mailman-Approved-At: Wed, 17 Dec 2014 06:26:43 -0800
Cc: bortzmeyer@nic.fr
Subject: [websec] [HSTS] Contradiction between sections 8.1 and 11.3 of RFC 6797?
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Dec 2014 13:57:33 -0000

[I'm not subscribed to the websec working group so please copy me when
replying.]

I don't know how to read section 11.3 of RFC 6797. It says "If all
four of the following conditions are true... [self-signed
certificates...]  ...then secure connections to that site will fail,
per the HSTS design." It seems to imply that adding a
Strict-Transport-Security: header to a site which has a self-signed
certificate is an error.

But section 8.1 says that the Strict-Transport-Security: will be
ignored if the HTTPS session is not secured (for instance because the
client uses a self-signed cert, section 8.1 says the header will be
accepted only "if there are no underlying secure transport errors or
warnings"). So, it seems that adding Strict-Transport-Security: is
useless (they will be ignored, per section 8.1) but not an error.

I checked with the Chromium browser "Version 20.0.1132.47 Ubuntu 12.04
(144678)" and a HTTPS site signed by CAcert.org (unknown CA for most
browsers) and, indeed, Chromium ignores the HSTS header and accepts to
use HTTP. Once CAcert.org cert is added, Chromium accepts the HSTS
header and uses only HTTPS. So, it seems the Chromium programmers
decided to ignore section 11.3?