Re: [websec] draft-ietf-websec-strict-transport-sec and WebFinger

=JeffH <> Fri, 05 October 2012 18:27 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id DD6B621F880C for <>; Fri, 5 Oct 2012 11:27:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -100.351
X-Spam-Status: No, score=-100.351 tagged_above=-999 required=5 tests=[AWL=0.144, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id rgnRXYLLxeTF for <>; Fri, 5 Oct 2012 11:27:21 -0700 (PDT)
Received: from ( [IPv6:2605:dc00:100:2::a6]) by (Postfix) with SMTP id 0013221F8807 for <>; Fri, 5 Oct 2012 11:27:19 -0700 (PDT)
Received: (qmail 1217 invoked by uid 0); 5 Oct 2012 18:27:19 -0000
Received: from unknown (HELO ( by with SMTP; 5 Oct 2012 18:27:19 -0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;; s=default; h=Content-Transfer-Encoding:Content-Type:Subject:CC:To:MIME-Version:From:Date:Message-ID; bh=SnUqyeiR0N/sApW2Y47EXWn8gYB7OM//6eedZt/ZD34=; b=lW4B+CyBFKTChQBUHjt0K/eyUvFUHIAhBC3xUlrrPbvzmLSqImlY4OecSoqrRHFOtHaitJHtkNphFoUfC7jmRsZ5xUIfU3jOwpmygWOsDld/O1wt6VNLG1joqTooNYKZ;
Received: from [] (port=21315 helo=[]) by with esmtpsa (TLSv1:CAMELLIA256-SHA:256) (Exim 4.76) (envelope-from <>) id 1TKCcJ-00079V-Hl; Fri, 05 Oct 2012 12:27:19 -0600
Message-ID: <>
Date: Fri, 05 Oct 2012 11:27:20 -0700
From: =JeffH <>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:15.0) Gecko/20120912 Thunderbird/15.0.1
MIME-Version: 1.0
To: "Paul E. Jones" <>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Identified-User: {} {sentby:smtp auth authed with}
Cc: IETF WebSec WG <>, 'Gonzalo Salgueiro' <>
Subject: Re: [websec] draft-ietf-websec-strict-transport-sec and WebFinger
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 05 Oct 2012 18:27:24 -0000

 > Specifically, it is the use of a 301 as specified in Section
 > 7.2.  If a UA requests initially visits a site like, it would
 > not know if the host is an HSTS host or not.  Use of 301 is not secure and
 > the user agent could be maliciously redirected to someplace other than a
 > site owned by PayPal, for example.

Yes, this is well-understood and (prominently) noted in the security 

14.6.  Bootstrap MITM Vulnerability

    The bootstrap MITM (Man-In-The-Middle) vulnerability is a
    vulnerability users and HSTS Hosts encounter in the situation where
    the user manually enters, or follows a link, to an unknown HSTS Host
    using a "http" URI rather than a "https" URI.  Because the UA uses an
    insecure channel in the initial attempt to interact with the
    specified server, such an initial interaction is vulnerable to
    various attacks (see Section 5.3 of [ForceHTTPS]).

    NOTE:  There are various features/facilities that UA implementations
           may employ in order to mitigate this vulnerability.  Please
           see Section 12 "User Agent Implementation Advice".

Plus, this spec is now a done deal.

However, the notion of devising some means for declaring general (web) host 
security policy and capabilities is one that's been discussed in various 
contexts (it's the question you're begging in your msg, IMV) -- and, yes, that's 
something to (now) put more cycles into thinking about.