[websec] [HSTS] Contradiction between sections 8.1 and 11.3 of RFC 6797?
Stephane Bortzmeyer <bortzmeyer@nic.fr> Wed, 17 December 2014 13:57 UTC
Return-Path: <bortzmeyer@nic.fr>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF8321A8A8B for <websec@ietfa.amsl.com>; Wed, 17 Dec 2014 05:57:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.56
X-Spam-Level:
X-Spam-Status: No, score=-1.56 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_FR=0.35, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j1Ytn4tJ_3X1 for <websec@ietfa.amsl.com>; Wed, 17 Dec 2014 05:57:31 -0800 (PST)
Received: from mx4.nic.fr (mx4.nic.fr [IPv6:2001:67c:2218:2::4:12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4B2D51A1AA4 for <websec@ietf.org>; Wed, 17 Dec 2014 05:57:31 -0800 (PST)
Received: from mx4.nic.fr (localhost [127.0.0.1]) by mx4.nic.fr (Postfix) with SMTP id B733A280285; Wed, 17 Dec 2014 14:57:29 +0100 (CET)
Received: from relay1.nic.fr (relay1.nic.fr [192.134.4.162]) by mx4.nic.fr (Postfix) with ESMTP id B1359280151; Wed, 17 Dec 2014 14:57:29 +0100 (CET)
Received: from bortzmeyer.nic.fr (unknown [IPv6:2001:67c:1348:7::86:133]) by relay1.nic.fr (Postfix) with ESMTP id AE53C4C007C; Wed, 17 Dec 2014 14:56:59 +0100 (CET)
Date: Wed, 17 Dec 2014 14:56:59 +0100
From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
To: websec@ietf.org, Jeff.Hodges@PayPal.com, collin.jackson@sv.cmu.edu, ietf@adambarth.com
Message-ID: <20141217135659.GA4781@nic.fr>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
X-Operating-System: Debian GNU/Linux 8.0
X-Kernel: Linux 3.16.0-4-686-pae i686
Organization: NIC France
X-URL: http://www.nic.fr/
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/2xzc5RlpZIpC90zdR0YCZezWS_o
X-Mailman-Approved-At: Wed, 17 Dec 2014 06:26:43 -0800
Cc: bortzmeyer@nic.fr
Subject: [websec] [HSTS] Contradiction between sections 8.1 and 11.3 of RFC 6797?
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Dec 2014 13:57:33 -0000
[I'm not subscribed to the websec working group so please copy me when replying.] I don't know how to read section 11.3 of RFC 6797. It says "If all four of the following conditions are true... [self-signed certificates...] ...then secure connections to that site will fail, per the HSTS design." It seems to imply that adding a Strict-Transport-Security: header to a site which has a self-signed certificate is an error. But section 8.1 says that the Strict-Transport-Security: will be ignored if the HTTPS session is not secured (for instance because the client uses a self-signed cert, section 8.1 says the header will be accepted only "if there are no underlying secure transport errors or warnings"). So, it seems that adding Strict-Transport-Security: is useless (they will be ignored, per section 8.1) but not an error. I checked with the Chromium browser "Version 20.0.1132.47 Ubuntu 12.04 (144678)" and a HTTPS site signed by CAcert.org (unknown CA for most browsers) and, indeed, Chromium ignores the HSTS header and accepts to use HTTP. Once CAcert.org cert is added, Chromium accepts the HSTS header and uses only HTTPS. So, it seems the Chromium programmers decided to ignore section 11.3?
- [websec] [HSTS] Contradiction between sections 8.… Stephane Bortzmeyer
- Re: [websec] [HSTS] Contradiction between section… David Keeler
- Re: [websec] [HSTS] Contradiction between section… Stephane Bortzmeyer
- Re: [websec] [HSTS] Contradiction between section… Daniel Kahn Gillmor