Re: [websec] fyi: State of HSTS Deployment in 2013-Oct

Yoav Nir <> Sun, 10 August 2014 11:38 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id A31E01A06E5 for <>; Sun, 10 Aug 2014 04:38:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.7
X-Spam-Status: No, score=0.7 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id PRDIKT4fDmnS for <>; Sun, 10 Aug 2014 04:38:35 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:400c:c05::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 148271A06E4 for <>; Sun, 10 Aug 2014 04:38:34 -0700 (PDT)
Received: by with SMTP id ho1so2934602wib.10 for <>; Sun, 10 Aug 2014 04:38:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=dT3588L+CslMHeFcSaAyaBfj4YvW3832tPbwPKfoNyo=; b=q1dRpUkDLs4D40zXJ7I3/w6nd/wkJkkdT69D21hJaeVY1BJuFIhv0rO26wqTKHXOEJ 5orb0owvj3YW4hE5rRo9BwJzmG+UmbZ3GdSWzIJMwZn7r1MYqqIJ+PmbVi3xOQJALf8/ 1WUhCC7105RIaj1IS+OYnDUzxKuNkZ9ybxsPrU20TpLqO9egB66xs1JAQlACgv1seXiy bWIxxqn0K9Es4YulhVA3DDT9FgM7gSPGeV39pcfA9ZwuZxPVMuyqrkfTnG86zWS6/sLX 3NLS0UKi1N7IkxN4IvD+vW4vr3TffJd24h5WHknrXkr7Snln+baL5cooYK5FB38kYWIO REzA==
X-Received: by with SMTP id ev2mr44956775wjb.76.1407670713638; Sun, 10 Aug 2014 04:38:33 -0700 (PDT)
Received: from [] ( []) by with ESMTPSA id pm3sm31474117wjb.28.2014. for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 10 Aug 2014 04:38:33 -0700 (PDT)
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Yoav Nir <>
In-Reply-To: <>
Date: Sun, 10 Aug 2014 14:38:35 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <>
To: Tobias Gondrom <>
X-Mailer: Apple Mail (2.1878.6)
Subject: Re: [websec] fyi: State of HSTS Deployment in 2013-Oct
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 10 Aug 2014 11:38:36 -0000

On Aug 10, 2014, at 12:59 PM, Tobias Gondrom <> wrote:

> Hi Jeff,
> thanks for sharing. Good paper and interesting read.
> Even though things are slowly picking up in adoption, a bit
> disappointing it's been only 277 out of 100000 sites in Oct 2013. (on a
> personal note: this is consistent with my personal anecdotal experience:
> as part of overall secure development training, I also mention HSTS to
> developers a couple of times per year, and so far nearly none of them
> used it before…)

My anecdotal evidence is that I tried to promote it at the company where I work. We sell (among other things) an SSL-VPN gateway. That is pretty much a pre-packaged web server, configurable to provide access to company resources such as email, ERP and whatever else employees need over a web interface. 

At first this looked to me like a great candidate for HSTS - it’s only HTTPS, no HTTP. It’s pre-packaged, so we could add it without the administrators needing to do any work. In the end, what killed the idea was what happens when certificates expire or when a valid certificate is replaced by an almost-valid certificate (missing alternate name). The administrators of our products run the gamut from IT professionals who have been through our administration courses all the way to the CEO’s nephew who’s really good with computers (‘cause he’s got his own Facebook profile and everything). We felt it was too risky to just ship the server with HSTS on. 

It’s still possible to turn it on by editing some Apache configuration files, but you really want security to be on by default.