Re: [websec] Strict-Transport-Security and mixed-content warnings
Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 23 May 2013 03:27 UTC
Return-Path: <dkg@fifthhorseman.net>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F247B11E8145 for <websec@ietfa.amsl.com>; Wed, 22 May 2013 20:27:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ppcAEfSiom6w for <websec@ietfa.amsl.com>; Wed, 22 May 2013 20:27:11 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id 33B3221F8F32 for <websec@ietf.org>; Wed, 22 May 2013 20:27:10 -0700 (PDT)
Received: from [192.168.13.158] (lair.fifthhorseman.net [108.58.6.98]) by che.mayfirst.org (Postfix) with ESMTPSA id 82466F97F; Wed, 22 May 2013 23:27:07 -0400 (EDT)
Message-ID: <519D8C88.6070104@fifthhorseman.net>
Date: Wed, 22 May 2013 23:27:04 -0400
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130518 Icedove/17.0.5
MIME-Version: 1.0
To: ryan-ietfhasmat@sleevi.com
References: <87sj1e8yr7.fsf@alice.fifthhorseman.net> <5833d9ac9b80141674bece13781fee36.squirrel@webmail.dreamhost.com>
In-Reply-To: <5833d9ac9b80141674bece13781fee36.squirrel@webmail.dreamhost.com>
X-Enigmail-Version: 1.5.1
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="----enig2MIRCLTLFBPBNNGUQAAHM"
Cc: websec@ietf.org
Subject: Re: [websec] Strict-Transport-Security and mixed-content warnings
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 May 2013 03:27:16 -0000
On 05/22/2013 06:52 PM, Ryan Sleevi wrote: > The view is that it's still a legitimate error for the site operator, in > that any user without HSTS protections (or with expired HSTS) is still at > risk. While HSTS may be providing protection to the user, the site itself > is still configured to serve resources insecurely, thus we still surface > it as user visible. It is an error for the site operator, certainly. But for a given user, with a browser that supports HSTS, which has received the header during the main page load (so it is clearly not expired), and trying to fetch content from the origin site itself (that happens to be mistakenly linked with http:// instead of https://): in this scenario it is not a security vulnerability for this user. My expectation as someone who browses the web is the browser UI feeback info is telling me things about *this connection right now*. If i want to get feedback about how the site is (mis)configured in ways that are not actively harming my connection at the moment, i expect that to be functionality provided by an extension or a web-developer-specific setting. For example, if i'm visiting a web page that is not valid HTML, but my browser can do a passable rendering of it, i don't expect my browser to choke or provide a warning label that says "invalid HTML! some other browsers might not be able to render this properly!" (though maybe that would be nice?) What about sites that are using 768-bit RSA keys -- some TLS stacks might reject those too, even if this one does not; should the browser show a warning? What about "transvalid" certs, which are only valid because we were able to find their intermediary CA in our cache of previously-seen CAs? There are lots of potential "your current connection is only safe because of this quirky combination of your browser, the page you're currently viewing, and your browsing history..." scenarios. Why should HSTS+mixed-content be singled out for special display to the user? I would expect that site administrators don't want their visitors to see indicators of security failure when they are using tools that are specifically designed to be able to prevent the security failure in question from happening. Site administrators should *also* be happy to have a mechanism to get reports about possible breakage on non-STS-compatible browsers, but i don't think they would want that mechanism to be complaints from scared users of STS-compatible browsers who actually don't have a problem. > ISTM that UI behaviours are largely outside the realm of what the IETF > standardizes. Some IETF specs do mandate certain UI (e.g. https://tools.ietf.org/html/rfc6797#section-12.1 specifies "no user recourse"), so i hope it's not too far outside the scope of the WG to talk about this here. But mainly i was asking about this here because i expect folks in this WG to have thought about these issues and to be able to explain where they're coming from (and even be interested in working toward rough consensus). That already is happening, so i don't think this is a terrible venue for the discussion :) Regards, --dkg
- [websec] Strict-Transport-Security and mixed-cont… Daniel Kahn Gillmor
- Re: [websec] Strict-Transport-Security and mixed-… Ryan Sleevi
- Re: [websec] Strict-Transport-Security and mixed-… Tanvi Vyas
- Re: [websec] Strict-Transport-Security and mixed-… Daniel Kahn Gillmor