Re: [websec] Issue #41 add parameter indicating whether to hardfail or not

"Steingruebl, Andy" <> Fri, 29 June 2012 16:45 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A4A9221F87CB for <>; Fri, 29 Jun 2012 09:45:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -9.117
X-Spam-Status: No, score=-9.117 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, DNS_FROM_RFC_BOGUSMX=1.482, RCVD_IN_DNSWL_HI=-8]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id AatPJFCQIlis for <>; Fri, 29 Jun 2012 09:45:49 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 83A8321F87C0 for <>; Fri, 29 Jun 2012 09:45:39 -0700 (PDT)
DomainKey-Signature: s=ppinc;; c=nofws; q=dns; h=X-EBay-Corp:X-IronPort-AV:Received:Received:From:To:CC: Subject:Thread-Topic:Thread-Index:Date:Message-ID: References:In-Reply-To:Accept-Language:Content-Language: X-MS-Has-Attach:X-MS-TNEF-Correlator:x-originating-ip: x-ems-proccessed:x-ems-stamp:Content-Type: Content-Transfer-Encoding:MIME-Version:X-CFilter; b=T7W4IBv4PxHlSaDoWloxDncgfLsaZzxGrmBAxf8IUmOHhf08JyUphR9N 0c4/HKN7NtmTY4PZEsqinZJLKAa/jmt9PoTAEuGMajqG5k8HVuHd9UBIV 60BMvZAMLzU0TGj;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;;; q=dns/txt; s=ppinc; t=1340988339; x=1372524339; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=TwkpmLY05OEi0HqEOeGzn8fpbiVyiv/FXnjDLj4G8tE=; b=SYqgHFcgACoFhzJrGASJYt01yrGdTzGDob+YuEBNftmvn0Fr01462KR4 tMwYYRsd+Ho6jmcC6lbYdel5dCXlH4UY4dMN6/jxk3+9F0jiFu29N/hrv cwbJ6EbWsgYUjPM;
X-EBay-Corp: Yes
X-IronPort-AV: E=Sophos;i="4.77,498,1336374000"; d="scan'208";a="8391682"
Received: from (HELO ([]) by with ESMTP; 29 Jun 2012 09:45:38 -0700
Received: from ([fe80::40c1:9cf7:d21e:46c]) by ([fe80::55d3:9d86:3fc8:dbf4%14]) with mapi id 14.02.0298.004; Fri, 29 Jun 2012 10:45:00 -0600
From: "Steingruebl, Andy" <>
To: Alexey Melnikov <>
Thread-Topic: [websec] Issue #41 add parameter indicating whether to hardfail or not
Thread-Index: AQHNVhPrj0PSF/XP90aTde9APV917ZcRf6lQ
Date: Fri, 29 Jun 2012 16:45:00 +0000
Message-ID: <>
References: <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
x-ems-proccessed: 10SqDH0iR7ekR7SRpKqm5A==
x-ems-stamp: iAWF6aytdvla/uPP3X/K1A==
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-CFilter: Scanned
Cc: IETF WebSec WG <>
Subject: Re: [websec] Issue #41 add parameter indicating whether to hardfail or not
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 29 Jun 2012 16:45:50 -0000

> -----Original Message-----
> From: Alexey Melnikov []
> Maybe this is not a good example, but I am thinking that something like
> OCSP retrieval failing on the client side is not something that would
> show up in the webserver logs.

Sure, but doesn't the OCSP site know whether it has set HSTS?

> There is however "I am testing DKIM" flag published in DNS.

Yep, but here you may not know all your sources of email, all of the domains, senders, etc.   you could have an outsourcer sending mail on your behalf that you don't know about, haven't inventoried, etc.  

For HSTS that can't be the case.  For HSTS you do know exactly what domain/host you're applying HSTS to.  You don't necessarily know all of the inbound links, but you don't know that before HSTS an so you watch your weblogs for 404's for example to see typo'd links, inbound errors, etc.

My contention is we already have this problem solved, and don't need a testing mode for it like this as there aren't any cases where the browser won't at least try to connect, and you can have an endpoint there ready/willing/able to listen to the request that is made.  If nothing else you could put up a packet sniffer.

- Andy