Re: [websec] [Technical Errata Reported] RFC6797 (4075)
"Eric Lawrence" <e_lawrence@hotmail.com> Fri, 08 August 2014 19:32 UTC
Return-Path: <e_lawrence@hotmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D86F11A011F for <websec@ietfa.amsl.com>; Fri, 8 Aug 2014 12:32:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.062
X-Spam-Level:
X-Spam-Status: No, score=-0.062 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, STOX_REPLY_TYPE=0.439] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dk7hy3qkytc0 for <websec@ietfa.amsl.com>; Fri, 8 Aug 2014 12:32:53 -0700 (PDT)
Received: from COL004-OMC1S12.hotmail.com (col004-omc1s12.hotmail.com [65.55.34.22]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9A1F91A0055 for <websec@ietf.org>; Fri, 8 Aug 2014 12:32:53 -0700 (PDT)
Received: from COL131-DS14 ([65.55.34.9]) by COL004-OMC1S12.hotmail.com with Microsoft SMTPSVC(7.5.7601.22712); Fri, 8 Aug 2014 12:32:53 -0700
X-TMN: [y0X7cvRigUQH0ZLTmF2J2fjDLUPcK97N]
X-Originating-Email: [e_lawrence@hotmail.com]
Message-ID: <COL131-DS14E7BAAD30061ECA07D1D5F0EE0@phx.gbl>
From: Eric Lawrence <e_lawrence@hotmail.com>
To: Barry Leiba <barryleiba@computer.org>, RFC Errata System <rfc-editor@rfc-editor.org>
References: <20140808190533.56A431801A4@rfc-editor.org> <CALaySJJB=g_gD9rFVoLU7JW7SkVvq9bK_H71TdPq3-em0JLFfQ@mail.gmail.com>
In-Reply-To: <CALaySJJB=g_gD9rFVoLU7JW7SkVvq9bK_H71TdPq3-em0JLFfQ@mail.gmail.com>
Date: Fri, 08 Aug 2014 14:32:52 -0500
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="iso-8859-1"; reply-type="original"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
Importance: Normal
X-Mailer: Microsoft Windows Live Mail 16.4.3528.331
X-MimeOLE: Produced By Microsoft MimeOLE V16.4.3528.331
X-OriginalArrivalTime: 08 Aug 2014 19:32:53.0277 (UTC) FILETIME=[8C27E4D0:01CFB33F]
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/ZTBLdVbBQ1sehfAyoDfQ9Gw8sRc
X-Mailman-Approved-At: Sat, 09 Aug 2014 13:21:12 -0700
Cc: Jeff Hodges <Jeff.Hodges@paypal.com>, Pete Resnick <presnick@qti.qualcomm.com>, websec@ietf.org, Collin Jackson <collin.jackson@sv.cmu.edu>
Subject: Re: [websec] [Technical Errata Reported] RFC6797 (4075)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 09 Aug 2014 17:50:09 -0000
Hi, Barry-- I'm afraid I'm only a consumer of RFCs and thus I'm not sure I understand the distinction here. To me, it seems that the RFC's threat model is incomplete. -Eric -----Original Message----- From: Barry Leiba Sent: Friday, August 8, 2014 2:11 PM To: RFC Errata System Cc: Jeff Hodges ; Collin Jackson ; Adam Barth ; Pete Resnick ; Tobias Gondrom ; Yoav Nir ; e_lawrence@hotmail.com ; websec@ietf.org Subject: Re: [Technical Errata Reported] RFC6797 (4075) Eric, thanks for the report. Errata are errors in the text that would have been fixed at publication time, had they been caught. Isn't this a change request, rather than an errata report? Barry, Applications AD On Fri, Aug 8, 2014 at 3:05 PM, RFC Errata System <rfc-editor@rfc-editor.org> wrote: > The following errata report has been submitted for RFC6797, > "HTTP Strict Transport Security (HSTS)". > > -------------------------------------- > You may review the report below and at: > http://www.rfc-editor.org/errata_search.php?rfc=6797&eid=4075 > > -------------------------------------- > Type: Technical > Reported by: Eric Lawrence <e_lawrence@hotmail.com> > > Section: 14 > > Original Text > ------------- > Without the "includeSubDomains" directive, HSTS is unable to protect > such Secure-flagged domain cookies. > > Corrected Text > -------------- > Without the "includeSubDomains" directive, HSTS is unable to protect > such Secure-flagged domain cookies. > > Even with the "includeSubDomains" directive, the unavailability of > an "includeParent" directive means that an Active MITM attacker can > perform a cookie-injection attack against an otherwise > HSTS-protected victim domain. > > Consider the following scenario: > > The user visits https://sub.example.com and gets a HSTS policy with > includeSubdomains set. All subsequent navigations to > sub.example.com and its subdomains will be secure. > > An attacker causes the victim's browser to navigate to > http://example.com. Because the HSTS policy applies only to > sub.example.com and its superdomain matches, this insecure > navigation is not blocked by the user agent. > > The attacker intercepts this insecure request and returns a > response that sets a cookie on the entire domain tree using a > Set-Cookie header. > > All subsequent requests to sub.example.com carry the injected > cookie, despite the use of HSTS. > > Notes > ----- > To mitigate this attack, HSTS-protected websites should perform a > background fetch of a resource at the first-level domain. This resource > should carry a HSTS header that will apply to the entire domain and all > subdomains. > > Instructions: > ------------- > This erratum is currently posted as "Reported". If necessary, please > use "Reply All" to discuss whether it should be verified or > rejected. When a decision is reached, the verifying party (IESG) > can log in to change the status and edit the report, if necessary. > > -------------------------------------- > RFC6797 (draft-ietf-websec-strict-transport-sec-14) > -------------------------------------- > Title : HTTP Strict Transport Security (HSTS) > Publication Date : November 2012 > Author(s) : J. Hodges, C. Jackson, A. Barth > Category : PROPOSED STANDARD > Source : Web Security > Area : Applications > Stream : IETF > Verifying Party : IESG >
- Re: [websec] [Technical Errata Reported] RFC6797 … Barry Leiba
- Re: [websec] [Technical Errata Reported] RFC6797 … Barry Leiba
- Re: [websec] [Technical Errata Reported] RFC6797 … Yoav Nir
- Re: [websec] [Technical Errata Reported] RFC6797 … Yoav Nir
- Re: [websec] [Technical Errata Reported] RFC6797 … Chris Palmer
- Re: [websec] [Technical Errata Reported] RFC6797 … Barry Leiba
- [websec] [Technical Errata Reported] RFC6797 (407… RFC Errata System
- Re: [websec] [Technical Errata Reported] RFC6797 … Eric Lawrence
- Re: [websec] [Technical Errata Reported] RFC6797 … Eric Lawrence
- Re: [websec] [Technical Errata Reported] RFC6797 … Tobias Gondrom
- Re: [websec] [Technical Errata Reported] RFC6797 … Yoav Nir
- Re: [websec] [Technical Errata Reported] RFC6797 … Tobias Gondrom
- Re: [websec] [Technical Errata Reported] RFC6797 … Yoav Nir
- Re: [websec] [Technical Errata Reported] RFC6797 … Barry Leiba
- Re: [websec] [Technical Errata Reported] RFC6797 … Tobias Gondrom
- [websec] [Errata Rejected] RFC6797 (4075) RFC Errata System