Re: [websec] #7: clarify and add examples/justification wrt connection termination due to tls warnings/errors
"websec issue tracker" <trac+websec@trac.tools.ietf.org> Fri, 08 July 2011 23:01 UTC
Return-Path: <trac+websec@trac.tools.ietf.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B58521F8C6D for <websec@ietfa.amsl.com>; Fri, 8 Jul 2011 16:01:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.6
X-Spam-Level:
X-Spam-Status: No, score=-102.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QSzjwtqHznEw for <websec@ietfa.amsl.com>; Fri, 8 Jul 2011 16:01:14 -0700 (PDT)
Received: from zinfandel.tools.ietf.org (zinfandel.tools.ietf.org [IPv6:2001:1890:1112:1::2a]) by ietfa.amsl.com (Postfix) with ESMTP id B485521F8C68 for <websec@ietf.org>; Fri, 8 Jul 2011 16:01:14 -0700 (PDT)
Received: from localhost ([::1] helo=zinfandel.tools.ietf.org) by zinfandel.tools.ietf.org with esmtp (Exim 4.76) (envelope-from <trac+websec@trac.tools.ietf.org>) id 1QfK2s-0008A4-La; Fri, 08 Jul 2011 16:01:14 -0700
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: websec issue tracker <trac+websec@trac.tools.ietf.org>
X-Trac-Version: 0.11.7
Precedence: bulk
Auto-Submitted: auto-generated
X-Mailer: Trac 0.11.7, by Edgewall Software
To: jeff.hodges@kingsmountain.com
X-Trac-Project: websec
Date: Fri, 08 Jul 2011 23:01:14 -0000
X-URL: http://tools.ietf.org/websec/
X-Trac-Ticket-URL: http://trac.tools.ietf.org/wg/websec/trac/ticket/7#comment:1
Message-ID: <079.0f97f4dca4a81aec11be538df5f4f6be@trac.tools.ietf.org>
References: <070.70d4f97ece5def5d52ae93f9d858bdc2@trac.tools.ietf.org>
X-Trac-Ticket-ID: 7
In-Reply-To: <070.70d4f97ece5def5d52ae93f9d858bdc2@trac.tools.ietf.org>
X-SA-Exim-Connect-IP: ::1
X-SA-Exim-Rcpt-To: jeff.hodges@kingsmountain.com, websec@ietf.org
X-SA-Exim-Mail-From: trac+websec@trac.tools.ietf.org
X-SA-Exim-Scanned: No (on zinfandel.tools.ietf.org); SAEximRunCond expanded to false
Cc: websec@ietf.org
Subject: Re: [websec] #7: clarify and add examples/justification wrt connection termination due to tls warnings/errors
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Jul 2011 23:01:15 -0000
#7: clarify and add examples/justification wrt connection termination due to tls warnings/errors Comment(by jeff.hodges@…): see also.... http://www.ietf.org/mail-archive/web/websec/current/msg00063.html Subject: Re: [websec] Some questions about HSTS From: Adam Barth <ietf@adambarth.com> Date: Mon, 22 Nov 2010 22:06:24 -0800 To: Yoav Nir <ynir@checkpoint.com> Cc: "websec@ietf.org" <websec@ietf.org> (text/plain) On Mon, Nov 22, 2010 at 9:46 PM, Yoav Nir <ynir@checkpoint.com> wrote: > Taking both your answers together, suppose I have a web server with a corporate or self-signed certificate, which is OK, as I expect all my users to approve an exception (as it's called in Firefox). I turn on HSTS because I'm worried about them being duped by a fake server using HTTP. To me, HSTS reduces the attack surface by making them dupable only on the first ever connect. Then, as it turns out, a certain browser breaks the connection when connecting from outside the organization, because the CDP is not available. Fine, I turn off HSTS, but because the cache is untouched, the users will get intermittent connectivity problems for three more months. I don't recommend using HSTS with self-signed certificates. In this scenario, I'd recommend the corporation install a root certificate in all machines owned by the corporation and then use that root certificate to issue whatever other certificates the corporation needs. > I agree with Marsh, that this is too much of scope creep. It makes sense for a big website like paypal, amazon or gmail to want strict enforcement on the client. But smaller websites don't have the IT department of such companies, and often let their certificates expire. In their case, having HSTS on would cause a lot of trouble on certificate expiry day. Folks are already in for a headache if they let their certificates expire. They'll get big nasty warnings in either case. The difference is only whether those warnings will let the user ignore them. If you don't think your organization is sufficiently competent to schedule a reminder to update its certificates, then I don't recommend using HSTS. > The use case that I am interested in is not a big commercial website, but rather an SSL-VPN portal. These have two relevant properties: They come pre-packaged, and they're SSL-only. It is up to the customer to get a certificate, or generate a self-signed one. I would have liked to have HSTS on by default for such a product, but if that means that customers with self-signed certificates or corporate certificates get long-lasting connectivity problems, I can't justify that. Indeed. Please don't use HSTS with self-signed certificates. HSTS is a feature for well-maintained web sites that have a need for strong security. The reason we designed HSTS was to differentiate between sites that actually want strong security and sites that are using TLS but don't have strong security needs. If you don't need strong security, you don't need HSTS (and the additional careful administration it requires). > Sure, I can have a configuration flag for whether or not we should have the header, but administrators tend to configure those wrong just as much as users tend to click through dangerous screens. I don't think user agents should offer such a configuration flag. > What do the current implementations (Chrome, Firefox) do? They do what the spec says. TLS errors on HSTS hosts are treated as fatal errors, much like the host's DNS name not resolving. There is no recourse except to reload the page. Adam ### http://www.ietf.org/mail-archive/web/websec/current/msg00304.html Subject: Re: [websec] Decouple HSTS's two orthogonal effects? From: Adam Barth <ietf@adambarth.com> Date: Tue, 29 Mar 2011 13:58:08 -0700 To: websec@ietf.org (text/plain) There's no coupling between HSTS and the particular algorithm a UA uses to verify certificates. The UA is free to use whatever verification mechanism it desires. You can remove whatever CAs you consider sloppy from the list of trusted certificate authorities and add in whatever other verification mechanism you like. For example, if/when certificate verification through DNSSEC becomes widespread, we won't need to change anything about the HSTS spec. Of course, we'll need to change our implementations, but that's true regardless of what the HSTS spec says. Adam -- -------------------------------------------+-------------------------------- Reporter: jeff.hodges@… | Owner: =JeffH Type: defect | Status: new Priority: major | Milestone: Component: strict-transport-sec | Version: Severity: Active WG Document | Keywords: -------------------------------------------+-------------------------------- Ticket URL: <http://trac.tools.ietf.org/wg/websec/trac/ticket/7#comment:1> websec <http://tools.ietf.org/websec/>
- [websec] #7: clarify and add examples/justificati… websec issue tracker
- Re: [websec] #7: clarify and add examples/justifi… websec issue tracker
- Re: [websec] #7: clarify and add examples/justifi… websec issue tracker