[websec] Notes from an HSTS Meetup (Sep. 2016)
"Hodges, Jeff" <jeff.hodges@paypal.com> Fri, 20 January 2017 21:18 UTC
Return-Path: <jeff.hodges@paypal.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5596B129495 for <websec@ietfa.amsl.com>; Fri, 20 Jan 2017 13:18:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -22.501
X-Spam-Level:
X-Spam-Status: No, score=-22.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=paypal.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CuPfgyr5Im85 for <websec@ietfa.amsl.com>; Fri, 20 Jan 2017 13:18:23 -0800 (PST)
Received: from den-ipout-02-data1.paypalcorp.com (den-ipout-02-data1.paypalcorp.com [173.224.160.155]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B8D23129494 for <websec@ietf.org>; Fri, 20 Jan 2017 13:18:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=paypal.com; i=@paypal.com; q=dns/txt; s=pp-dkim1; t=1484947103; x=1516483103; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=1USOKuxxN2gl/XaxrLAOBNIUL8/6WTRwoouemb+5R4k=; b=wQG1UvF3TUCbVrJ3VMT5oFqXbscKxtvRbUHWIX2P6GhLePIjNl3PUsNg Qhcuiv8WyZiPE74mu0sxl8XnMW1y7jOxh9eiB9m74pXJVWWSeqiz+2fOW guR3tpDaj3gq9AXamZ9IBJA+z6Kdoyy+Q+labYpIWAYFZillqb2uXSTGT Ty62GYrnyw6VhZkFcRu/ilgP2SHIZ8UraCGl+Mh8ALbfmXli0zrGaJQbV iTIKMOh4pErmVcOX0thOOvAw1VWGEiePDJyGe1riI8s0lBKT7QU+59EHg ZUJfcw+JtKPY/GR62RB8qEychC7SsCa0q+pU5b98Eri6k4t3OS13Jq7py Q==;
X-IronPort-AV: E=Sophos;i="5.33,260,1477980000"; d="scan'208";a="32366751"
Received: from unknown (HELO lvs-ipcld-01-data1.paypalcorp.com) ([10.184.246.167]) by den-ipout-02-data1.paypalcorp.com with ESMTP; 20 Jan 2017 14:18:22 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.33,260,1477983600"; d="scan'208";a="11149990"
X-CloudService: Office365
Received: from mail-by2nam03lp0053.outbound.protection.outlook.com (HELO NAM03-BY2-obe.outbound.protection.outlook.com) ([216.32.180.53]) by lvs-ipcld-01-data1.paypalcorp.com with ESMTP/TLS/AES256-SHA256; 20 Jan 2017 13:18:14 -0800
Received: from SN1PR06MB2094.namprd06.prod.outlook.com (10.169.125.142) by SN1PR06MB2093.namprd06.prod.outlook.com (10.169.125.141) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.845.12; Fri, 20 Jan 2017 21:18:21 +0000
Received: from SN1PR06MB2094.namprd06.prod.outlook.com ([10.169.125.142]) by SN1PR06MB2094.namprd06.prod.outlook.com ([10.169.125.142]) with mapi id 15.01.0845.013; Fri, 20 Jan 2017 21:18:21 +0000
From: "Hodges, Jeff" <jeff.hodges@paypal.com>
To: IETF WebSec List <websec@ietf.org>
Thread-Topic: Notes from an HSTS Meetup (Sep. 2016)
Thread-Index: AQHScrkNj++wntf9SEWWePeuAjazYaFBWeCA
Date: Fri, 20 Jan 2017 21:18:21 +0000
Message-ID: <D4A7BDF6.E360B%jehodges@paypalcorp.com>
References: <79E2F435-E9A0-4F54-8F01-6A3CB21E2F0E@apple.com> <CAPP_2Sb3jWwOiGwLQi_B9biJAfXMHSEVxS7U+q1xq08c2jBaQg@mail.gmail.com> <CAKj7jtvJYUvhcDbCqmOb9_3qf4iymjW6i5cEhx+UAw=wpL-vow@mail.gmail.com>
In-Reply-To: <CAKj7jtvJYUvhcDbCqmOb9_3qf4iymjW6i5cEhx+UAw=wpL-vow@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.5.9.151119
authentication-results: spf=none (sender IP is ) smtp.mailfrom=jeff.hodges@paypal.com;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [173.224.162.69]
x-ms-office365-filtering-correlation-id: a968ef60-7667-46fb-88a3-08d44179dc99
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001);SRVR:SN1PR06MB2093;
x-microsoft-exchange-diagnostics: 1; SN1PR06MB2093; 7:36ChuoBJAoKr9A3ER1A0FyCpfOVdUds8hjvmpHsn9tv785h/xbFbY9DVzLr6nSE+4uhNsnxL67fGKIPYz8ZXCxGw3FVrQTWsQ3EwdoZUZvhDWr0R+6zYvtmCu5at3iyt4UmiULkcjemBQUlaxnnzGCgEqtyCq02UScPWAmkSsZb//B5oMieSFanB8nN0SdHxQD3O8SD1nHLkOR2gyX6LqPu0oda/IKuhEsjVniraNRNB26lgUlPOvL12CU8ExeG4do1cVsYU+qkS026CFK1s2YiiXEQcZPc/ruTAoXtaihzho2VkudHtjoDSF4RXuTxPsb97OItO38GSfzfj4PjkNmaJ0+VpVJkZWBxSx17unjwfMqXSbegBM49oRaZOSg4P2r52nC1CN3nhxYzrW9PQCub74oj6yGqALZqiFp6+lAiXQN5CG4/WI7fokSQP/J+2X/I6up3l+1IfkggMUSpLAA==
x-microsoft-antispam-prvs: <SN1PR06MB2093BFCD8EA078A911DA320F93710@SN1PR06MB2093.namprd06.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(166708455590820)(192374486261705)(31418570063057)(211936372134217)(31960201722614)(148717330147763)(119230021023882);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040375)(601004)(2401047)(5005006)(8121501046)(10201501046)(3002001)(6055026)(6041248)(20161123560025)(20161123564025)(20161123562025)(20161123555025)(6072148); SRVR:SN1PR06MB2093; BCL:0; PCL:0; RULEID:; SRVR:SN1PR06MB2093;
x-forefront-prvs: 01930B2BA8
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(7916002)(39450400003)(39840400002)(39850400002)(39410400002)(39860400002)(69224002)(66654002)(377454003)(24454002)(189002)(53754006)(199003)(2950100002)(2906002)(6306002)(3846002)(110136003)(8936002)(66066001)(6436002)(4001350100001)(5660300001)(82432001)(81166006)(4500500003)(83506001)(101416001)(25786008)(5002510100001)(77096006)(305945005)(77072002)(189998001)(6486002)(102836003)(86362001)(3660700001)(8676002)(97736004)(99286003)(7736002)(6116002)(10130500003)(73692002)(81156014)(2900100001)(6512007)(38730400001)(10770500004)(9686003)(10300500001)(4326007)(106116001)(6506006)(106356001)(105586002)(10290500002)(68736007)(92566002)(50986999)(36756003)(122556002)(6916009)(54356999)(76176999)(53936002)(3280700002)(10630500005)(56826009)(493534005); DIR:OUT; SFP:1102; SCL:1; SRVR:SN1PR06MB2093; H:SN1PR06MB2094.namprd06.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: paypal.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="iso-8859-1"
Content-ID: <4771A7887A82E349B253672569D10E1D@namprd06.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: paypal.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Jan 2017 21:18:21.2574 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: fb007914-6020-4374-977e-21bac5f3f4c8
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN1PR06MB2093
X-CFilter: Scanned den1
Archived-At: <https://mailarchive.ietf.org/arch/msg/websec/CDAKIw0S81tmCAYGiwZbLUy5_5c>
Cc: Lucas Garron <lgarron@google.com>
Subject: [websec] Notes from an HSTS Meetup (Sep. 2016)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Jan 2017 21:18:25 -0000
[ fwd'g on Lucas' behalf... ] From: Lucas Garron <lgarron@google.com> Date: Thursday, January 19, 2017 at 5:03 PM To: IETF WebSec List <websec@ietf.org>, W3C Web App Security WG <public-webappsec@w3.org> Subject: Notes from an HSTS Meetup (Sep. 2016) Hi all, Last September I organized HSTS meetup, and I'd like to share public notes of what we discussed: bit.ly/hsts-meetup-notes <https://docs.google.com/document/d/1d21wtTCQ-a6vN7yDwyhLkuBpgmLoJCKMI7aRrX NBIbI/edit#> Most major browsers had at least one participant, and since I currently maintain the Chromium HSTS preload list <https://hstspreload.org/>, I set roughly half the agenda to discuss the HSTS preload list. Some highlights: * We collectively documented the HSTS preload list processes <https://docs.google.com/document/d/1d21wtTCQ-a6vN7yDwyhLkuBpgmLoJCKMI7aRrX NBIbI/edit#heading=h.gpm9zj53wbk5> for Mozilla, Microsoft, Chrome, Opera, and Safari in one place for the first time. I also also made slides documenting the Chromium preload list submission process: <https://docs.google.com/presentation/d/1TdSPLBqkeSGZ3mFO6bSpHaRKKwPVDzU_xV c7q5vdHrY/edit#slide=id.p> * The HSTS preload list has roughly two major issues: stale/removed entries, and potentially very large growth in the near future. To help address this, most browsers could support out-of-band updates <https://docs.google.com/document/d/1d21wtTCQ-a6vN7yDwyhLkuBpgmLoJCKMI7aRrX NBIbI/edit#bookmark=id.5gjn9r3a8p80> if it becomes necessary. (In fact, it seems Firefox just implemented this <https://twitter.com/rlbarnes/status/819640097972822020>.) * Firefox has implemented HSTS priming <https://docs.google.com/document/d/1d21wtTCQ-a6vN7yDwyhLkuBpgmLoJCKMI7aRrX NBIbI/edit#heading=h.vpdezmng8pxs>, which addresses the fact that HSTS on its own does not prevent mixed content. Chrome is interested in implementing this, too. :-) * Related topics: history of HSTS, HSTS history leaks and supercookies, how to handle demand for content filtering when HTTPS is common, how to get to a place where the web can be HTTPS by default, how to switch entire TLDs to HTTPS, how to prevent developers from accidentally preloading. (One planned topic that we didn't end up discussing much at the meetup was standardizing the `preload` directive used by hstspreload.org <http://hstspreload.org>) Based on the discussions, I am also planning to make several changes to https://hstspreload.org <https://hstspreload.org> in the near future: * Automatically handle removal requests and prune stale entries <https://bugs.chromium.org/p/chromium/issues/detail?id=608599> using daily scans <https://github.com/chromium/hstspreload.org/issues/35>. * Once we're confident about pruning process keeps the list up-to-date, get all browsers to draw from the same source of truth <https://github.com/chromium/hstspreload.org/issues/76> instead of filtering each other's lists. (This can reduce delays for new/removed entries by several months.) * Possibly raise the submission requirements <https://hstspreload.org/#submission-requirements> to a minimum max-age of 1 year <https://docs.google.com/document/d/1d21wtTCQ-a6vN7yDwyhLkuBpgmLoJCKMI7aRrX NBIbI/edit#bookmark=id.s9cg5xbp1r1m>. martijnc@ has also been contributing changes <https://bugs.chromium.org/p/chromium/issues/detail?id=595493> to Chromium that will make my life as maintainer easier. :-) Apologies for the delay if anyone was waiting on this. I had a lot of non-HSTS work to do last quarter, but I've started work on hstspreload.org <http://hstspreload.org> for the bullet points above, and plan to dedicate a significant amount to this in early 2017. Many thanks for all the meetup participants for a productive day with insights about everyone's concerns and priorities. :-) Cheers, »Lucas On Mon, Nov 14, 2016 at 9:43 PM Emily Stark <estark@google.com> wrote: Adding Lucas, who organized the meetup. I know he's planning to share notes eventually though I don't know if they're ready for consumption yet. On Tue, Nov 15, 2016 at 4:08 AM, John Wilander <wilander@apple.com> wrote: > Hi WebAppSec! > > I know there was an HSTS meetup in San Francisco on 9/30, organized by > Google. Challenges with HSTS preload was one of the topics (see for >instance > requests for removal). Could we get summary + any action points sent >here? > Or maybe there¹s already a thread on some other mailing list? Thanks! > > I know HSTS doesn¹t fall under our working group but it relates with UIR >and > we should follow what happens. > > Regards, John
- [websec] Notes from an HSTS Meetup (Sep. 2016) Hodges, Jeff