Re: [websec] HSTS: max-age=0 interacting with includeSubdomains

Adam Barth <ietf@adambarth.com> Tue, 21 August 2012 22:41 UTC

Return-Path: <ietf@adambarth.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3DC9611E8091 for <websec@ietfa.amsl.com>; Tue, 21 Aug 2012 15:41:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.947
X-Spam-Level:
X-Spam-Status: No, score=-2.947 tagged_above=-999 required=5 tests=[AWL=0.030, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0k1HYAGJHoM6 for <websec@ietfa.amsl.com>; Tue, 21 Aug 2012 15:41:45 -0700 (PDT)
Received: from mail-qa0-f44.google.com (mail-qa0-f44.google.com [209.85.216.44]) by ietfa.amsl.com (Postfix) with ESMTP id AACE311E808D for <websec@ietf.org>; Tue, 21 Aug 2012 15:41:45 -0700 (PDT)
Received: by qadb17 with SMTP id b17so3959924qad.10 for <websec@ietf.org>; Tue, 21 Aug 2012 15:41:45 -0700 (PDT)
Received: by 10.224.32.205 with SMTP id e13mr12050540qad.69.1345588905176; Tue, 21 Aug 2012 15:41:45 -0700 (PDT)
Received: from mail-vb0-f44.google.com (mail-vb0-f44.google.com [209.85.212.44]) by mx.google.com with ESMTPS id ea5sm2057800qab.2.2012.08.21.15.41.43 (version=SSLv3 cipher=OTHER); Tue, 21 Aug 2012 15:41:44 -0700 (PDT)
Received: by vbbez10 with SMTP id ez10so391112vbb.31 for <websec@ietf.org>; Tue, 21 Aug 2012 15:41:43 -0700 (PDT)
Received: by 10.52.90.104 with SMTP id bv8mr3241105vdb.102.1345588903362; Tue, 21 Aug 2012 15:41:43 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.58.64.169 with HTTP; Tue, 21 Aug 2012 15:41:13 -0700 (PDT)
In-Reply-To: <1490899566.2661542.1345584612752.JavaMail.root@mozilla.com>
References: <CAJE5ia9+jNNpSx6D4wCDVWSM0RhqgHLa8d+_ctGv6wAc_qhj7w@mail.gmail.com> <1490899566.2661542.1345584612752.JavaMail.root@mozilla.com>
From: Adam Barth <ietf@adambarth.com>
Date: Tue, 21 Aug 2012 15:41:13 -0700
Message-ID: <CAJE5ia9pL0O_bi73V9SG7pisTp9MdCa2meZb_1SVym+7-tDGuw@mail.gmail.com>
To: Brian Smith <bsmith@mozilla.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Cc: websec@ietf.org
Subject: Re: [websec] HSTS: max-age=0 interacting with includeSubdomains
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Aug 2012 22:41:46 -0000

On Tue, Aug 21, 2012 at 2:30 PM, Brian Smith <bsmith@mozilla.com> wrote:
> Adam Barth wrote:
>> > FWIW, in Firefox we are also going to honor max-age=0 as a
>> > mechanism to disable the entries in our pre-loaded HSTS list that
>> > will ship in the browser.
>>
>> How long do you plan to cache the disable?
>
> Initially: until we receive an HSTS header with max-age > 0 for the site, or until the user clears the dynamic HSTS database in a way that removes the dynamic HSTS information (e.g. by using "Clear Recent History"), to reset back to the "as shipped" state.

Interesting.  I wonder if that's something Chrome should do as well.
Let me ask agl for his thoughts.

Thanks,
Adam