Re: [websec] handling STS header field extendability

"Hill, Brad" <> Mon, 13 August 2012 21:40 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B063321F8605 for <>; Mon, 13 Aug 2012 14:40:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -9.117
X-Spam-Status: No, score=-9.117 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, DNS_FROM_RFC_BOGUSMX=1.482, RCVD_IN_DNSWL_HI=-8]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id LJe4TMPYIU6V for <>; Mon, 13 Aug 2012 14:40:56 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 256A821F85DF for <>; Mon, 13 Aug 2012 14:40:56 -0700 (PDT)
DomainKey-Signature: s=ppinc;; c=nofws; q=dns; h=X-EBay-Corp:X-IronPort-AV:Received:Received:From:To:CC: Subject:Thread-Topic:Thread-Index:Date:Message-ID: References:In-Reply-To:Accept-Language:Content-Language: X-MS-Has-Attach:X-MS-TNEF-Correlator:x-originating-ip: x-ems-proccessed:x-ems-stamp:Content-Type: Content-Transfer-Encoding:MIME-Version:X-CFilter; b=vYZLxTDQdqh4/r1hOXNkBJwqyyyb3GVRDcfKJeqSFkhw12hpNvCN/8kF DmgNHSoeMTBVBgFNCwZTjEuRU3zCfahOg3kUzU8AGV8VO5rPdUYarFGgV 2A5faV6/Sw4aBaZ;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;;; q=dns/txt; s=ppinc; t=1344894056; x=1376430056; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=NF8DerJctzySio23qLVutOUzzDdkebwAlQKvTJL3fuU=; b=VtR81EsRAzlYtOL0q6q1J7QkeeRyPDyhqh2qyD3VIA0P+vaNXNzVWsW/ l6eWMCwHHl5mJnRzUVC0LXmYjOrKzJbkorO3Kth4u1ZRwJaQCKQW5PO6c hIMbv+qfIoQTCAp;
X-EBay-Corp: Yes
X-IronPort-AV: E=Sophos;i="4.77,762,1336374000"; d="scan'208";a="9633874"
Received: from (HELO ([]) by with ESMTP; 13 Aug 2012 14:40:55 -0700
Received: from ([fe80::40c1:9cf7:d21e:46c]) by ([fe80::55d3:9d86:3fc8:dbf4%14]) with mapi id 14.02.0298.004; Mon, 13 Aug 2012 15:40:55 -0600
From: "Hill, Brad" <>
To: Chris Palmer <>, Collin Jackson <>
Thread-Topic: [websec] handling STS header field extendability
Thread-Index: AQHNdnu9G2/cgF2QOE2DrHCPRwkn4JdT/HaAgAEaOQCAAvRWEIAAfk+AgAAhxwD//53jIA==
Date: Mon, 13 Aug 2012 21:40:53 +0000
Message-ID: <>
References: <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
x-ems-proccessed: 10SqDH0iR7ekR7SRpKqm5A==
x-ems-stamp: My5LBmPilrzzlRI5vXZEZA==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter: Scanned
Cc: Ben Campbell <>, IETF WebSec WG <>
Subject: Re: [websec] handling STS header field extendability
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 13 Aug 2012 21:40:56 -0000

> Not to intentionally pick on PayPal — sorry, Brad :) — but the attack works
> because of explicit cross-origin script inclusion. The first demo of this attack I
> saw was by Sotirov and Zusman at CanSecWest some years ago. In the attack
> demo, EV includes (included) script from non-EV
> If you distinguish EV and non-EV
> as distinct origins, it doesn't help anything if either origin explicitly includes
> script from any other origin (of any security level).

[Hill, Brad] No apology needed. is using an EV certificate now, BTW, but I'm quite sure if you looked you could find non-EV content that's being transcluded somewhere. (though hopefully not script src)  

I think that's important to consider about LockEV - PayPal is one of the sites most ready for and most pervasively EV, and it would not be prepared today to have a mixed-content policy enforced for EV/DV.  It would take a lot of work and a great deal of expense to achieve this, and not just for PayPal.  Consider how many sites use off-origin analytics, ads, CDNs, etc.  

The CDN cost also goes way up because EV certificates cannot include multiple logical subjects and XP, Android 2.x and other legacy OSs still prevent SNI from being widely used, so you need to pay for an exclusive IP address from the CDN, in addition to the cost of the EV cert itself.

Mixed-content blocking could very conceivably decrease the usage of EV certs dramatically.