IETF Logo Mail Archive

Re: [websec] [Technical Errata Reported] RFC6797 (4075)

Barry Leiba <barryleiba@computer.org> Fri, 08 August 2014 19:54 UTC

Return-Path: <barryleiba@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3BF751A03CD for <websec@ietfa.amsl.com>; Fri, 8 Aug 2014 12:54:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id avPh9K2w08ME for <websec@ietfa.amsl.com>; Fri, 8 Aug 2014 12:54:16 -0700 (PDT)
Received: from mail-la0-x22f.google.com (mail-la0-x22f.google.com [IPv6:2a00:1450:4010:c03::22f]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 338A61A03C8 for <websec@ietf.org>; Fri, 8 Aug 2014 12:54:16 -0700 (PDT)
Received: by mail-la0-f47.google.com with SMTP id mc6so4954694lab.20 for <websec@ietf.org>; Fri, 08 Aug 2014 12:54:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=V6ocbBrpLfRfm/Iv5YpV3Qh+ODJR0DRscjkPBLLuCEc=; b=pwVHZLbf0U4igcO2HRmpz/5xdXxQVsIjGQdx0HTw7StQ4F928qZi0x5M5wV1WpgGNC 0Uk2zYKoARS0fxhbD+tcvx4xpUdFeNUxMAFb2fMmqqPx73ujTHv9sKTG4EkqIPLSHPxc 8r7ZYX/HmkXhwXmrILWNR3BAx21VV814/Py6gbWXdqXCv0kem+MxP0MywuU8G43jV+z+ HZPFHdjK4wVvTAoige1O913+23rUR4w8N2Ri3SKE9qVvze0ox/vx8PPS6zqCu/dZrPXj sRqJf6S7orpeyNYWrKBJuQpCUC8noqfXKnFcstic4fzqJVc7pozxzLRsC5TKFLLPadQi mfMg==
MIME-Version: 1.0
X-Received: by 10.112.161.72 with SMTP id xq8mr22225266lbb.18.1407527654510; Fri, 08 Aug 2014 12:54:14 -0700 (PDT)
Sender: barryleiba@gmail.com
Received: by 10.152.8.46 with HTTP; Fri, 8 Aug 2014 12:54:14 -0700 (PDT)
In-Reply-To: <COL131-DS14E7BAAD30061ECA07D1D5F0EE0@phx.gbl>
References: <20140808190533.56A431801A4@rfc-editor.org> <CALaySJJB=g_gD9rFVoLU7JW7SkVvq9bK_H71TdPq3-em0JLFfQ@mail.gmail.com> <COL131-DS14E7BAAD30061ECA07D1D5F0EE0@phx.gbl>
Date: Fri, 08 Aug 2014 15:54:14 -0400
X-Google-Sender-Auth: a-jFWl0PyXh7PIoj8vJEhcd4Vds
Message-ID: <CALaySJJe6v7JwceN+TucqtdJWA9dh3+oj6-awYXHJwY6iZEvzA@mail.gmail.com>
From: Barry Leiba <barryleiba@computer.org>
To: Eric Lawrence <e_lawrence@hotmail.com>
Content-Type: text/plain; charset="ISO-8859-1"
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/hkz8C7mYnEXtOGkkgDImgnNuozk
Cc: Jeff Hodges <Jeff.Hodges@paypal.com>, Pete Resnick <presnick@qti.qualcomm.com>, "websec@ietf.org" <websec@ietf.org>, Collin Jackson <collin.jackson@sv.cmu.edu>, RFC Errata System <rfc-editor@rfc-editor.org>
Subject: Re: [websec] [Technical Errata Reported] RFC6797 (4075)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Aug 2014 19:54:18 -0000

> I'm afraid I'm only a consumer of RFCs and thus I'm not sure I understand
> the distinction here. To me, it seems that the RFC's threat model is
> incomplete.

Perhaps it is, but the distinction is about whether an error was made
in writing the document, or whether there's a flaw in the protocol, an
issue that wasn't considered in the discussion, or the like.

The sentence you're addressing is entirely consistent with the rest of
Section 14.4, and doesn't look like "errata" to me.  It's quite
possible that the working group blew it and should have thought about
things differently.  It's possible that someone should write an update
to RFC 6797 to correct it, and that your input would be useful.

But you're asking the websec working group to consider an update, not
making an errata report, as I see it.

Does anyone from websec have a comment on this?

Barry

> -----Original Message----- From: Barry Leiba
> Sent: Friday, August 8, 2014 2:11 PM
> To: RFC Errata System
> Cc: Jeff Hodges ; Collin Jackson ; Adam Barth ; Pete Resnick ; Tobias
> Gondrom ; Yoav Nir ; e_lawrence@hotmail.com ; websec@ietf.org
> Subject: Re: [Technical Errata Reported] RFC6797 (4075)
>
>
> Eric, thanks for the report.
>
> Errata are errors in the text that would have been fixed at
> publication time, had they been caught.
>
> Isn't this a change request, rather than an errata report?
>
> Barry, Applications AD
>
> On Fri, Aug 8, 2014 at 3:05 PM, RFC Errata System
> <rfc-editor@rfc-editor.org> wrote:
>>
>> The following errata report has been submitted for RFC6797,
>> "HTTP Strict Transport Security (HSTS)".
>>
>> --------------------------------------
>> You may review the report below and at:
>> http://www.rfc-editor.org/errata_search.php?rfc=6797&eid=4075
>>
>> --------------------------------------
>> Type: Technical
>> Reported by: Eric Lawrence <e_lawrence@hotmail.com>
>>
>> Section: 14
>>
>> Original Text
>> -------------
>>    Without the "includeSubDomains" directive, HSTS is unable to protect
>>    such Secure-flagged domain cookies.
>>
>> Corrected Text
>> --------------
>>    Without the "includeSubDomains" directive, HSTS is unable to protect
>>    such Secure-flagged domain cookies.
>>
>>    Even with the "includeSubDomains" directive, the unavailability of
>>    an "includeParent" directive means that an Active MITM attacker can
>>    perform a cookie-injection attack against an otherwise
>>    HSTS-protected victim domain.
>>
>>    Consider the following scenario:
>>
>>     The user visits https://sub.example.com and gets a HSTS policy with
>>     includeSubdomains set. All subsequent navigations to
>>     sub.example.com and its subdomains will be secure.
>>
>>     An attacker causes the victim's browser to navigate to
>>     http://example.com. Because the HSTS policy applies only to
>>     sub.example.com and its superdomain matches, this insecure
>>     navigation is not blocked by the user agent.
>>
>>     The attacker intercepts this insecure request and returns a
>>     response that sets a cookie on the entire domain tree using a
>>     Set-Cookie header.
>>
>>     All subsequent requests to sub.example.com carry the injected
>>     cookie, despite the use of HSTS.
>>
>> Notes
>> -----
>> To mitigate this attack, HSTS-protected websites should perform a
>> background fetch of a resource at the first-level domain. This resource
>> should carry a HSTS header that will apply to the entire domain and all
>> subdomains.
>>
>> Instructions:
>> -------------
>> This erratum is currently posted as "Reported". If necessary, please
>> use "Reply All" to discuss whether it should be verified or
>> rejected. When a decision is reached, the verifying party (IESG)
>> can log in to change the status and edit the report, if necessary.
>>
>> --------------------------------------
>> RFC6797 (draft-ietf-websec-strict-transport-sec-14)
>> --------------------------------------
>> Title               : HTTP Strict Transport Security (HSTS)
>> Publication Date    : November 2012
>> Author(s)           : J. Hodges, C. Jackson, A. Barth
>> Category            : PROPOSED STANDARD
>> Source              : Web Security
>> Area                : Applications
>> Stream              : IETF
>> Verifying Party     : IESG
>>
>

v2.43.4 | Report a Bug | By Email | System Status