Re: [websec] HSTS: Infinite max-age to address NTP spoofing attack?

"Steingruebl, Andy" <> Tue, 11 November 2014 19:21 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 65A871A1AA9 for <>; Tue, 11 Nov 2014 11:21:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -20.602
X-Spam-Status: No, score=-20.602 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id WZkjUWCNE7P4 for <>; Tue, 11 Nov 2014 11:21:48 -0800 (PST)
Received: from ( []) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E75591A1AE0 for <>; Tue, 11 Nov 2014 11:21:47 -0800 (PST)
DomainKey-Signature: s=paypalcorp;; c=nofws; q=dns; h=X-EBay-Corp:X-IronPort-AV:Received:Received:From:To:CC: Subject:Thread-Topic:Thread-Index:Date:Message-ID: References:In-Reply-To:Accept-Language:Content-Language: X-MS-Has-Attach:X-MS-TNEF-Correlator:user-agent: x-originating-ip:Content-Type:Content-ID: Content-Transfer-Encoding:MIME-Version:X-CFilter; b=Oam4N3ETF7WDird/jOLigJR+xyCfBECk+WRYCHDZI6On3cU8fogG4D5W kg9MseN4Cb6ROwsineXAhVz9EyfYoSrEI3mFq0nlR2xxNh5mJ0qLaYKZn 1MYwZeehn8wNXO3qD1pWE/FJs7HbrTSo81i2wneO9ix0MbTus4LsAANxy U=;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;;; q=dns/txt; s=paypalcorp; t=1415733708; x=1447269708; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=s7GtkO0TqQ+MPx1Z7rsLyk38ZJj4Mel/zw1HdiU+wuk=; b=LG79ShQln9qbrilp/liTqNLiPnYFIT1M0Z7ZP/A1VqiMLtwrNMZQAF42 NKF1QsmSkM6l14I2ygzEoCrBAmJsq7AAmvOZ6jGcvEVhXFfHlomy3HErc aqPhBH9GAQS6TyRG6V1Agazju0So2tLPQsxgK74FmvTXSPHf+c2a/VAnT 0=;
X-EBay-Corp: Yes
X-IronPort-AV: E=Sophos;i="5.07,362,1413270000"; d="scan'208";a="77048343"
Received: from (HELO ([]) by with ESMTP; 11 Nov 2014 11:21:47 -0800
Received: from ([fe80::40c1:9cf7:d21e:46c]) by ([fe80::5c45:283f:1e47:5cdf%17]) with mapi id 14.03.0195.001; Tue, 11 Nov 2014 12:21:47 -0700
From: "Steingruebl, Andy" <>
To: Tom Ritter <>, Xiaoyin Liu <>
Thread-Topic: [websec] HSTS: Infinite max-age to address NTP spoofing attack?
Thread-Index: AQHP+sEJabG5KeWdAEai1Dy8HZ6SL5xWUYWAgAVxqYA=
Date: Tue, 11 Nov 2014 19:21:46 +0000
Message-ID: <>
References: <BAY405-EAS15381E2B86B576B335C1341FF850@phx.gbl> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/
x-originating-ip: []
Content-Type: text/plain; charset="iso-8859-1"
Content-ID: <>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-CFilter: Scanned den1
X-Mailman-Approved-At: Tue, 11 Nov 2014 13:05:56 -0800
Cc: "" <>
Subject: Re: [websec] HSTS: Infinite max-age to address NTP spoofing attack?
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 11 Nov 2014 19:26:34 -0000

On 11/7/14, 4:13 PM, "Tom Ritter" <> wrote:

>On 7 November 2014 13:28, Xiaoyin Liu <> wrote:
>> For instance, if Twitter wants to gracefully switch to HTTP. It needs to
>> send max-age=0 for twenty years in order to ensure that no one is locked
>> out. But planning ahead twenty years is impossible. So for Twitter
>> from twenty years to infinity doesn't add more risks.
>With something concrete, Paypal just jumped to 2 years:
> Maybe Jeff
>can weigh in on what it took to get to that confidence level and
>whether he/they would rather have 'infinite'.

Short story - we¹d been running with and (but
not includesubdomains) on the preloaded list in Chrome for so long that it
didn¹t seem ricky at all. The lag was really just administrative -
deciding whether you need to test/re-test when you update the header since
the short value was in force for Firefox, Opera, and Safari but the
preloading was only enforced for Chrome.

In the end we just figured we¹d had the previous header for long enough
that upping the max-age to 2 years didn¹t seem risky.  In reality I should
probably have done it sooner.

- Andy