Re: [websec] Notes from an HSTS Meetup (Sep. 2016)

Eric Mill <eric.mill@gsa.gov> Fri, 20 January 2017 19:31 UTC

Return-Path: <eric.mill@gsa.gov>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DACE61293F4 for <websec@ietfa.amsl.com>; Fri, 20 Jan 2017 11:31:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.99
X-Spam-Level:
X-Spam-Status: No, score=-1.99 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_FILL_THIS_FORM_SHORT=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=gsa.gov
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f6PI8ZxrdkZM for <websec@ietfa.amsl.com>; Fri, 20 Jan 2017 11:31:21 -0800 (PST)
Received: from mail-yb0-x22b.google.com (mail-yb0-x22b.google.com [IPv6:2607:f8b0:4002:c09::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B2EC9128874 for <websec@ietf.org>; Fri, 20 Jan 2017 11:31:21 -0800 (PST)
Received: by mail-yb0-x22b.google.com with SMTP id w194so67983389ybe.0 for <websec@ietf.org>; Fri, 20 Jan 2017 11:31:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gsa.gov; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=AeWZGp9pGwaymgV6BqOuknMOj00LI8p0EN9jyMmSRrc=; b=Q8WBZQQdGiQW8AHh0gmPWwRz1mytzsYV37Gwmcq5uXdefG80WIr/pLDqJRyRLlD0TT M0z1Cma7oMXgIe/l7GXlZy+EwiQRVgbBzMN+0mxXiNn7KZ2n80G5n20FkS6B8mF0m0uO MKDrV6zjkl0h1Q+R1pSAh8DrlC8+Kv9k3OuIA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=AeWZGp9pGwaymgV6BqOuknMOj00LI8p0EN9jyMmSRrc=; b=OuT7CBuifV85casUgGDiG4TvkfVXAqrNODEsXDNjpnruR5c66Obh6D6JGSzCsANymy ZtR8fLZv8EaBlueTz0tPIluG1oiAzTNIqOBu4UU0+Av+vpr4F3lBTaQsEfc3Y+nYBt3V cR7+oCwIBxNouocbDS9IpoHMIqzgTy1bWWVQro4RbhGJt1bEHGC8O8Oi6cmnw3WtDfQA pkwnmH9DuryvJlQo20EM9QDA0JB2AqdNVi0r5kvoA1eoZbHCTy/qLEjHJNu/6TW4Zdd8 8Sy4xlpVBn7zoYEbu0JxeQGUrakkK2JogE+1RVLQvRsm6j9r8GEmDurLRiywnf4n5BLR BwvQ==
X-Gm-Message-State: AIkVDXJfq1Iul/3aAlfX6F82RYz3hmncvJGi5VMIy/VO/Jv/0Z5n/RXnMsXU+D+WpOFR34k3kYxozc60i+RNInrb
X-Received: by 10.200.41.198 with SMTP id 6mr13655293qtt.130.1484940680409; Fri, 20 Jan 2017 11:31:20 -0800 (PST)
MIME-Version: 1.0
Received: by 10.12.180.65 with HTTP; Fri, 20 Jan 2017 11:30:39 -0800 (PST)
In-Reply-To: <CADnb78gJCQnyDan4+NFYmOa=p9i5=STw==awSXanv_-6pr3NqA@mail.gmail.com>
References: <79E2F435-E9A0-4F54-8F01-6A3CB21E2F0E@apple.com> <CAPP_2Sb3jWwOiGwLQi_B9biJAfXMHSEVxS7U+q1xq08c2jBaQg@mail.gmail.com> <CAKj7jtvJYUvhcDbCqmOb9_3qf4iymjW6i5cEhx+UAw=wpL-vow@mail.gmail.com> <CAC7uhV-jKJYPvSDJA6sjTsDz_ktX5PBXbFEP7Bkmt_2TJODD8A@mail.gmail.com> <CADnb78gJCQnyDan4+NFYmOa=p9i5=STw==awSXanv_-6pr3NqA@mail.gmail.com>
From: Eric Mill <eric.mill@gsa.gov>
Date: Fri, 20 Jan 2017 14:30:39 -0500
Message-ID: <CAC7uhV_NUo4ZrWAWLSkyvWOB=ZqP0jtVDzs8iHtbFqcCa6tSRQ@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Content-Type: multipart/alternative; boundary="001a1141068cc56be405468bb195"
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Lucas Garron <lgarron@google.com>, websec <websec@ietf.org>
Subject: Re: [websec] Notes from an HSTS Meetup (Sep. 2016)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Jan 2017 19:31:25 -0000

On Fri, Jan 20, 2017 at 1:52 PM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Fri, Jan 20, 2017 at 7:38 PM, Eric Mill <eric.mill@gsa.gov> wrote:
> > It's a novel approach, and potentially could serve as a model for other
> TLDs
> > or suffixes -- so if folks have any feedback or suggestions about this
> > effort, it'd be welcome and timely.
>
> Is the reverse not possible? Where everything .gov is HSTS, unless
> it's on an HTTP-safelist? Or would that list still be way longer?
>

The reverse is certainly possible, but not right away. This change
currently only includes a subset of the .gov user base -- executive branch
agencies, which currently represent ~1,100 of the total ~5,600 .gov
domains.

The .gov TLD is also used for legislative branch and judicial branch
agencies (~200 domains), as well as state, city, county, and other local
entities (~4,000 domains), as well as native tribal governments (~170
domains). (Estimates, the numbers don't add up exactly.)

If GSA at some point extends the practice to include those other entities,
it would then become feasible to tell browsers "preload *.gov, _except_ for
these X,X00 domains", where the X,X00 domains represent the existing legacy
non-preloaded .gov domains at that time across all parts of the user base.
Then the TLD could focus on just deleting legacy non-preloaded entries from
the list over time, instead of adding new entries to the list.

However, to take that kind of step, clients that use preload lists would
also need to support the idea of "carveouts". This has come up before for
second-level domains (e.g. preload "facebook.com" except for these old
subdomains), and there seemed to be pretty broad consensus that list
operators don't want to support that. It might be a different value
proposition if applied to top-level domains and public suffixes, though.

-- Eric


>
> --
> https://annevankesteren.nl/
>



-- 
Eric Mill
Senior Advisor on Technology
Technology Transformation Service, GSA
eric.mill@gsa.gov, +1-617-314-0966