Return-Path: <ynir.ietf@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1])
 by ietfa.amsl.com (Postfix) with ESMTP id A31E01A06E5
 for <websec@ietfa.amsl.com>; Sun, 10 Aug 2014 04:38:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.7
X-Spam-Level: 
X-Spam-Status: No, score=0.7 tagged_above=-999 required=5 tests=[BAYES_50=0.8, 
 DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
 FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44])
 by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id PRDIKT4fDmnS for <websec@ietfa.amsl.com>;
 Sun, 10 Aug 2014 04:38:35 -0700 (PDT)
Received: from mail-wi0-x231.google.com (mail-wi0-x231.google.com
 [IPv6:2a00:1450:400c:c05::231])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (No client certificate requested)
 by ietfa.amsl.com (Postfix) with ESMTPS id 148271A06E4
 for <websec@ietf.org>; Sun, 10 Aug 2014 04:38:34 -0700 (PDT)
Received: by mail-wi0-f177.google.com with SMTP id ho1so2934602wib.10
 for <websec@ietf.org>; Sun, 10 Aug 2014 04:38:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; 
 h=content-type:mime-version:subject:from:in-reply-to:date:cc
 :content-transfer-encoding:message-id:references:to;
 bh=dT3588L+CslMHeFcSaAyaBfj4YvW3832tPbwPKfoNyo=;
 b=q1dRpUkDLs4D40zXJ7I3/w6nd/wkJkkdT69D21hJaeVY1BJuFIhv0rO26wqTKHXOEJ
 5orb0owvj3YW4hE5rRo9BwJzmG+UmbZ3GdSWzIJMwZn7r1MYqqIJ+PmbVi3xOQJALf8/
 1WUhCC7105RIaj1IS+OYnDUzxKuNkZ9ybxsPrU20TpLqO9egB66xs1JAQlACgv1seXiy
 bWIxxqn0K9Es4YulhVA3DDT9FgM7gSPGeV39pcfA9ZwuZxPVMuyqrkfTnG86zWS6/sLX
 3NLS0UKi1N7IkxN4IvD+vW4vr3TffJd24h5WHknrXkr7Snln+baL5cooYK5FB38kYWIO
 REzA==
X-Received: by 10.194.100.34 with SMTP id ev2mr44956775wjb.76.1407670713638;
 Sun, 10 Aug 2014 04:38:33 -0700 (PDT)
Received: from [192.168.1.100] (bzq-84-109-50-18.red.bezeqint.net.
 [84.109.50.18])
 by mx.google.com with ESMTPSA id pm3sm31474117wjb.28.2014.08.10.04.38.32
 for <multiple recipients>
 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
 Sun, 10 Aug 2014 04:38:33 -0700 (PDT)
Content-Type: text/plain; charset=windows-1252
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <53E74295.7060402@gondrom.org>
Date: Sun, 10 Aug 2014 14:38:35 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <9324C2B1-7DAA-418B-87C2-7D4CFABD8B1C@gmail.com>
References: <53E708DB.4010505@KingsMountain.com> <53E74295.7060402@gondrom.org>
To: Tobias Gondrom <tobias.gondrom@gondrom.org>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/eMhYxEN8N_81v_ConunVVX-Dosg
Cc: websec@ietf.org
Subject: Re: [websec] fyi: State of HSTS Deployment in 2013-Oct
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport
 <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>,
 <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>,
 <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 10 Aug 2014 11:38:36 -0000


On Aug 10, 2014, at 12:59 PM, Tobias Gondrom =
<tobias.gondrom@gondrom.org> wrote:

> Hi Jeff,
>=20
> thanks for sharing. Good paper and interesting read.
>=20
> Even though things are slowly picking up in adoption, a bit
> disappointing it's been only 277 out of 100000 sites in Oct 2013. (on =
a
> personal note: this is consistent with my personal anecdotal =
experience:
> as part of overall secure development training, I also mention HSTS to
> developers a couple of times per year, and so far nearly none of them
> used it before=85)

My anecdotal evidence is that I tried to promote it at the company where =
I work. We sell (among other things) an SSL-VPN gateway. That is pretty =
much a pre-packaged web server, configurable to provide access to =
company resources such as email, ERP and whatever else employees need =
over a web interface.=20

At first this looked to me like a great candidate for HSTS - it=92s only =
HTTPS, no HTTP. It=92s pre-packaged, so we could add it without the =
administrators needing to do any work. In the end, what killed the idea =
was what happens when certificates expire or when a valid certificate is =
replaced by an almost-valid certificate (missing alternate name). The =
administrators of our products run the gamut from IT professionals who =
have been through our administration courses all the way to the CEO=92s =
nephew who=92s really good with computers (=91cause he=92s got his own =
Facebook profile and everything). We felt it was too risky to just ship =
the server with HSTS on.=20

It=92s still possible to turn it on by editing some Apache configuration =
files, but you really want security to be on by default.

Yoav