Re: [websec] HSTS: max-age=0 interacting with includeSubdomains

Adam Barth <ietf@adambarth.com> Tue, 21 August 2012 20:41 UTC

Return-Path: <ietf@adambarth.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3ACC821F85FF for <websec@ietfa.amsl.com>; Tue, 21 Aug 2012 13:41:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.944
X-Spam-Level:
X-Spam-Status: No, score=-2.944 tagged_above=-999 required=5 tests=[AWL=0.033, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LjP+d8kCpVIz for <websec@ietfa.amsl.com>; Tue, 21 Aug 2012 13:41:00 -0700 (PDT)
Received: from mail-qa0-f44.google.com (mail-qa0-f44.google.com [209.85.216.44]) by ietfa.amsl.com (Postfix) with ESMTP id 91ED221F85FC for <websec@ietf.org>; Tue, 21 Aug 2012 13:41:00 -0700 (PDT)
Received: by qadb17 with SMTP id b17so3899410qad.10 for <websec@ietf.org>; Tue, 21 Aug 2012 13:41:00 -0700 (PDT)
Received: by 10.229.137.12 with SMTP id u12mr15594500qct.28.1345581659888; Tue, 21 Aug 2012 13:40:59 -0700 (PDT)
Received: from mail-vc0-f172.google.com (mail-vc0-f172.google.com [209.85.220.172]) by mx.google.com with ESMTPS id gw6sm1849541qab.21.2012.08.21.13.40.58 (version=SSLv3 cipher=OTHER); Tue, 21 Aug 2012 13:40:58 -0700 (PDT)
Received: by vcbfo14 with SMTP id fo14so276132vcb.31 for <websec@ietf.org>; Tue, 21 Aug 2012 13:40:57 -0700 (PDT)
Received: by 10.52.90.104 with SMTP id bv8mr3006852vdb.102.1345581657585; Tue, 21 Aug 2012 13:40:57 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.58.64.169 with HTTP; Tue, 21 Aug 2012 13:40:27 -0700 (PDT)
In-Reply-To: <1309411276.2656875.1345581509698.JavaMail.root@mozilla.com>
References: <50335580.2040701@gondrom.org> <1309411276.2656875.1345581509698.JavaMail.root@mozilla.com>
From: Adam Barth <ietf@adambarth.com>
Date: Tue, 21 Aug 2012 13:40:27 -0700
Message-ID: <CAJE5ia9+jNNpSx6D4wCDVWSM0RhqgHLa8d+_ctGv6wAc_qhj7w@mail.gmail.com>
To: Brian Smith <bsmith@mozilla.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Cc: websec@ietf.org
Subject: Re: [websec] HSTS: max-age=0 interacting with includeSubdomains
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Aug 2012 20:41:01 -0000

On Tue, Aug 21, 2012 at 1:38 PM, Brian Smith <bsmith@mozilla.com> wrote:
>> Adam Barth wrote:
>> >Brian Smith wrote:
>> >> 2. The owners of example.com decides to turn of HSTS for whatever
>> >> reason (perhaps the domain changed owners, or there's a
>> >> compatibility issue, or whatever), so they start sending out HSTS
>> >> with max-age=0 for example.com and for all the subdomains.
>
>> > That's not a correct way of disabling HSTS after (1).  Instead,
>> > they need only send out an max-age=0 header for example.com itself.
>
> [...]
>
>> > They can simply initiate a request to https://example.com/ (e.g.,
>> > by using an HTTP redirect or an HTML image element) and clear the
>> > HSTS state for that host name.
>
> I understand what you're saying and it makes sense. And, I agree that in a web browser that is a pretty reasonable way to handle some emergency where you have to turn off HSTS for some reason, though I think it would be quite tricky to do so in a way that is reliable.
>
> Another thing to keep in mind is that, in order to turn off HSTS, the site must comply with the browser's requirements for HSTS sites anyway; otherwise the browser will ignore your HSTS header and avoid doing the redirect or avoid loading the page with the img tag in it.
>
> FWIW, in Firefox we are also going to honor max-age=0 as a mechanism to disable the entries in our pre-loaded HSTS list that will ship in the browser.

How long do you plan to cache the disable?

Adam