[websec] HSTS: Infinite max-age to address NTP spoofing attack?

Xiaoyin Liu <xiaoyin.l@outlook.com> Fri, 07 November 2014 06:56 UTC

Return-Path: <xiaoyin.l@outlook.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 038051ACEF5 for <websec@ietfa.amsl.com>; Thu, 6 Nov 2014 22:56:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.8
X-Spam-Level: *
X-Spam-Status: No, score=1.8 tagged_above=-999 required=5 tests=[BAYES_50=0.8, FREEMAIL_FROM=0.001, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.998, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id xHmD9EhQbywJ for <websec@ietfa.amsl.com>; Thu, 6 Nov 2014 22:56:57 -0800 (PST)
Received: from BAY004-OMC1S16.hotmail.com (bay004-omc1s16.hotmail.com []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 878101A1A6D for <websec@ietf.org>; Thu, 6 Nov 2014 22:56:57 -0800 (PST)
Received: from BAY180-W65 ([]) by BAY004-OMC1S16.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.22751); Thu, 6 Nov 2014 22:56:57 -0800
X-TMN: [CYJmumVmTp6kTvA2HSOanq76SHL/R84D]
X-Originating-Email: [xiaoyin.l@outlook.com]
Message-ID: <BAY180-W65945DCD6DB8531AB08F2BFF850@phx.gbl>
Content-Type: multipart/alternative; boundary="_d96793a6-5a22-49d4-ac03-13467988ad22_"
From: Xiaoyin Liu <xiaoyin.l@outlook.com>
To: "websec@ietf.org" <websec@ietf.org>
Date: Fri, 7 Nov 2014 01:56:57 -0500
Importance: Normal
MIME-Version: 1.0
X-OriginalArrivalTime: 07 Nov 2014 06:56:57.0470 (UTC) FILETIME=[059439E0:01CFFA58]
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/6jUTYElPw_TukEdyXyMho26h4Bo
Subject: [websec] HSTS: Infinite max-age to address NTP spoofing attack?
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Nov 2014 07:00:43 -0000

 I recently read the slides "Bypassing HTTP Strict Transport Security" by 
Jose Selvi.[1] It seems to me that one way to address NTP spoofing attack 
on HSTS is to allow sites to specify HSTS policies that never expire (i.e. 
infinite max-age), so that the enforcement of HSTS does not depend on the 
system time.
So I want to propose a update to RFC 6797 to define a new directive called 
"infinite" (or something else). When a UA sees this directive, max-age 
should be ignored and HSTS should always be enforced until users clear the 
cache or the server sends a valid STS header without "infinite" directive.
The new header field will look like:
  Strict-Transport-Security: max-age=31536000; infinite
Of course, many websites will be unwilling to set infinite max-age, so this 
attack is not completely addressed. However, I think this new directive 
should help a lot, because some websites, especially those that need to 
send and receive sensitive information, such as online banking, are very 
unlikely to revert to HTTP in the future. Also, a very long max-age, such 
as 20 years used by Twitter, is effectively infinite, but long max-age is 
subject to the NTP attack, while an explicit "infinite" is not.
Any comments on this? Thanks!
[1] https://www.blackhat.com/docs/eu-14/materials/eu-14-Selvi-Bypassing-HTTP-Strict-Transport-Security-wp.pdf