Re: [websec] #57: Re-add an upper limit to max-age

Tobias Gondrom <> Sat, 23 March 2013 12:38 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 88A8121F8A3F for <>; Sat, 23 Mar 2013 05:38:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -95.262
X-Spam-Status: No, score=-95.262 tagged_above=-999 required=5 tests=[AWL=0.100, BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_DE=0.35, RDNS_DYNAMIC=0.1, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id oARZpPc44F5u for <>; Sat, 23 Mar 2013 05:38:04 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 5C44E21F8A0C for <>; Sat, 23 Mar 2013 05:38:04 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default;; b=JNtpkNyB00FioaDcf9OJhg5Hpfd8P+4atFe8fzEuKPyuQlmE9JyWtSw2QnTYgwPBLCVkwG/zmfjVG0X92oXBPX8cFjfONF/857Sh21Y2YzrySUeEP5veOeMWBz5juxPT; h=Received:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:References:In-Reply-To:X-Enigmail-Version:Content-Type:Content-Transfer-Encoding;
Received: (qmail 15987 invoked from network); 23 Mar 2013 13:38:03 +0100
Received: from (HELO ? ( by with ESMTPSA (DHE-RSA-AES256-SHA encrypted, authenticated); 23 Mar 2013 13:38:02 +0100
Message-ID: <>
Date: Sat, 23 Mar 2013 20:37:48 +0800
From: Tobias Gondrom <>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130308 Thunderbird/17.0.4
MIME-Version: 1.0
References: <> <> <> <> <>
In-Reply-To: <>
X-Enigmail-Version: 1.5.1
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Subject: Re: [websec] #57: Re-add an upper limit to max-age
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 23 Mar 2013 12:38:05 -0000

I agree with Yoav's comment.

Am not 100% sure on this, as I don't know the frequency of
"self-bricking" due to the reasons described by Trevor, but feel that 30
days is too short for protection of rare use users. Don't forget, we
have not solved the boot-strapping issue for HSTS and HKPK. So if the
max-age is too low, we basically leave all infrequent users unprotected.
(and I guess there are quite a number of important sites that people
would only go to only once in a while but not for sure every 30 days).

If I would have to balance between "self-inflicted bricking" (due to
mis-config, bad business deals, weak security, etc.) and user
protection, my vote would go for user protection.

So if we need a max-age, I would probably prefer a longer time, e.g. a
max-age of 1 year.

Best regards, Tobias

On 23/03/13 10:13, Yoav Nir wrote:
> On Mar 22, 2013, at 7:36 PM, Joseph Bonneau <> wrote:
>> On Fri, Mar 22, 2013 at 7:07 PM, Trevor Perrin <> wrote:
>>> With a spec maximum (say 30 days), then you have a clear reference
>>> point to plan around.
>> Agreed.
>> I have some stats I've been looking at from Google's web crawls about
>> HSTS headers. Out of 12853 hosts I observed setting HSTS, 53% set of a
>> max-age of 1 year. After that it's 15% 30 days, 12% 180 days, 10% 1
>> day, and a smattering of other choices (with a few large hosts like
>> Twitter setting very long-lived max-age).
> As Ekr said in the meeting, there is a big difference here between HSTS and HPKP. It doesn't matter if Paypal or some bank advertises HSTS for a million years. It's not likely that someone who has declared a policy for always using secure transport will suddenly switch to non-secure transport. They might stop advertising HSTS, but they're not likely to stop insisting on TLS use.
> OTOH a particular public key might be replaced because of switching certificate vendors, because auditors don't like that key length any more, or because your certificate vendor has decided that ECC is the way to go. Pinning something that has an expiry date for an unlimited time could be a problem.
> Something to consider is that if the max-age time is shorter than the time between accesses to the site, the security of this mechanism is lost. If either the draft or the UA sets an upper limit of 30 days, then HKPK won't work for This is a site that I only use from one week before an IETF meeting to one week following it. In between there are a little over three months where I don't use the site at all. So it would make sense for the site operator to set a max-age of 4 months. That limit may be inappropriate for web mail or social media, but even those might be accessed from different UAs at different times. For example, I might use my home computer for a social media site while I'm at home, but use a smart phone or a laptop for the same site when I'm away from home. 
> I understand Trevor's issue. Does it make a difference to a site operator whether the site is partially bricked by bad pins for 30 days or 365 days?
> Yoav
> _______________________________________________
> websec mailing list