Re: [websec] [Technical Errata Reported] RFC6797 (4075)
Barry Leiba <barryleiba@computer.org> Fri, 08 August 2014 19:11 UTC
Return-Path: <barryleiba@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D1BD21A010E for <websec@ietfa.amsl.com>; Fri, 8 Aug 2014 12:11:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DIUPLHX3VYFX for <websec@ietfa.amsl.com>; Fri, 8 Aug 2014 12:11:46 -0700 (PDT)
Received: from mail-lb0-x229.google.com (mail-lb0-x229.google.com [IPv6:2a00:1450:4010:c04::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 397CF1A0055 for <websec@ietf.org>; Fri, 8 Aug 2014 12:11:45 -0700 (PDT)
Received: by mail-lb0-f169.google.com with SMTP id s7so4159413lbd.14 for <websec@ietf.org>; Fri, 08 Aug 2014 12:11:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=4rJXTEZuJSLOj0fz8ufpXsPeBzxDKWpupTj4AEv5fC0=; b=oYgtGVGth+hZtSMZl9fkg3d8bwKSSKTrPTyY4p0pQ6Rd9c64lGb4+0ngG4kexxYQaF JSmn96anpR1p9u7Chyz1wbU1ytGs77zKmn6cYBasbDJtz3bpoIJgdxrvLblsxMqSllJ5 smTnRWM7W5wTPXMLTKVLeOl5yw80vNuUf9cihvaBKaloToMKhYKPi+hQ1cnRXSyng6eX +cn0lhBrARoERmQIw8u+vj4xm48jwpFIKGen4BPlnUXaoUFb3Us8uIxR9Mfm2YgvXP72 RvXxbnOP4RXuQqexZwJEJYQTMan31dSBypyMJklqZ4AxfBq7RLLo5/G70woB9s9/TeKg QVSQ==
MIME-Version: 1.0
X-Received: by 10.112.35.97 with SMTP id g1mr22693396lbj.20.1407525104442; Fri, 08 Aug 2014 12:11:44 -0700 (PDT)
Sender: barryleiba@gmail.com
Received: by 10.152.8.46 with HTTP; Fri, 8 Aug 2014 12:11:44 -0700 (PDT)
In-Reply-To: <20140808190533.56A431801A4@rfc-editor.org>
References: <20140808190533.56A431801A4@rfc-editor.org>
Date: Fri, 08 Aug 2014 15:11:44 -0400
X-Google-Sender-Auth: xp5eGI58TvT1yd7gVHc-mnvaZIg
Message-ID: <CALaySJJB=g_gD9rFVoLU7JW7SkVvq9bK_H71TdPq3-em0JLFfQ@mail.gmail.com>
From: Barry Leiba <barryleiba@computer.org>
To: RFC Errata System <rfc-editor@rfc-editor.org>
Content-Type: text/plain; charset="ISO-8859-1"
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/XGNJBhiHDZWYyJ9L0ezTq1Yrb-c
Cc: e_lawrence@hotmail.com, Jeff Hodges <Jeff.Hodges@paypal.com>, Pete Resnick <presnick@qti.qualcomm.com>, "websec@ietf.org" <websec@ietf.org>, Collin Jackson <collin.jackson@sv.cmu.edu>
Subject: Re: [websec] [Technical Errata Reported] RFC6797 (4075)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Aug 2014 19:11:54 -0000
Eric, thanks for the report. Errata are errors in the text that would have been fixed at publication time, had they been caught. Isn't this a change request, rather than an errata report? Barry, Applications AD On Fri, Aug 8, 2014 at 3:05 PM, RFC Errata System <rfc-editor@rfc-editor.org> wrote: > The following errata report has been submitted for RFC6797, > "HTTP Strict Transport Security (HSTS)". > > -------------------------------------- > You may review the report below and at: > http://www.rfc-editor.org/errata_search.php?rfc=6797&eid=4075 > > -------------------------------------- > Type: Technical > Reported by: Eric Lawrence <e_lawrence@hotmail.com> > > Section: 14 > > Original Text > ------------- > Without the "includeSubDomains" directive, HSTS is unable to protect > such Secure-flagged domain cookies. > > Corrected Text > -------------- > Without the "includeSubDomains" directive, HSTS is unable to protect > such Secure-flagged domain cookies. > > Even with the "includeSubDomains" directive, the unavailability of > an "includeParent" directive means that an Active MITM attacker can > perform a cookie-injection attack against an otherwise > HSTS-protected victim domain. > > Consider the following scenario: > > The user visits https://sub.example.com and gets a HSTS policy with > includeSubdomains set. All subsequent navigations to > sub.example.com and its subdomains will be secure. > > An attacker causes the victim's browser to navigate to > http://example.com. Because the HSTS policy applies only to > sub.example.com and its superdomain matches, this insecure > navigation is not blocked by the user agent. > > The attacker intercepts this insecure request and returns a > response that sets a cookie on the entire domain tree using a > Set-Cookie header. > > All subsequent requests to sub.example.com carry the injected > cookie, despite the use of HSTS. > > Notes > ----- > To mitigate this attack, HSTS-protected websites should perform a background fetch of a resource at the first-level domain. This resource should carry a HSTS header that will apply to the entire domain and all subdomains. > > Instructions: > ------------- > This erratum is currently posted as "Reported". If necessary, please > use "Reply All" to discuss whether it should be verified or > rejected. When a decision is reached, the verifying party (IESG) > can log in to change the status and edit the report, if necessary. > > -------------------------------------- > RFC6797 (draft-ietf-websec-strict-transport-sec-14) > -------------------------------------- > Title : HTTP Strict Transport Security (HSTS) > Publication Date : November 2012 > Author(s) : J. Hodges, C. Jackson, A. Barth > Category : PROPOSED STANDARD > Source : Web Security > Area : Applications > Stream : IETF > Verifying Party : IESG >
- Re: [websec] [Technical Errata Reported] RFC6797 … Barry Leiba
- Re: [websec] [Technical Errata Reported] RFC6797 … Barry Leiba
- Re: [websec] [Technical Errata Reported] RFC6797 … Yoav Nir
- Re: [websec] [Technical Errata Reported] RFC6797 … Yoav Nir
- Re: [websec] [Technical Errata Reported] RFC6797 … Chris Palmer
- Re: [websec] [Technical Errata Reported] RFC6797 … Barry Leiba
- [websec] [Technical Errata Reported] RFC6797 (407… RFC Errata System
- Re: [websec] [Technical Errata Reported] RFC6797 … Eric Lawrence
- Re: [websec] [Technical Errata Reported] RFC6797 … Eric Lawrence
- Re: [websec] [Technical Errata Reported] RFC6797 … Tobias Gondrom
- Re: [websec] [Technical Errata Reported] RFC6797 … Yoav Nir
- Re: [websec] [Technical Errata Reported] RFC6797 … Tobias Gondrom
- Re: [websec] [Technical Errata Reported] RFC6797 … Yoav Nir
- Re: [websec] [Technical Errata Reported] RFC6797 … Barry Leiba
- Re: [websec] [Technical Errata Reported] RFC6797 … Tobias Gondrom
- [websec] [Errata Rejected] RFC6797 (4075) RFC Errata System