IETF Logo Mail Archive

[websec] #5: Clarify need for IncludeSubDomains

"websec issue tracker" <trac+websec@trac.tools.ietf.org> Fri, 08 July 2011 22:15 UTC

Return-Path: <trac+websec@trac.tools.ietf.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A4D121F8C50 for <websec@ietfa.amsl.com>; Fri, 8 Jul 2011 15:15:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.6
X-Spam-Level:
X-Spam-Status: No, score=-102.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mhHKKYgdAe2h for <websec@ietfa.amsl.com>; Fri, 8 Jul 2011 15:15:12 -0700 (PDT)
Received: from zinfandel.tools.ietf.org (zinfandel.tools.ietf.org [IPv6:2001:1890:1112:1::2a]) by ietfa.amsl.com (Postfix) with ESMTP id B473E21F8C4A for <websec@ietf.org>; Fri, 8 Jul 2011 15:15:12 -0700 (PDT)
Received: from localhost ([::1] helo=zinfandel.tools.ietf.org) by zinfandel.tools.ietf.org with esmtp (Exim 4.76) (envelope-from <trac+websec@trac.tools.ietf.org>) id 1QfJKK-0004vA-Ih; Fri, 08 Jul 2011 15:15:12 -0700
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: websec issue tracker <trac+websec@trac.tools.ietf.org>
X-Trac-Version: 0.11.7
Precedence: bulk
Auto-Submitted: auto-generated
X-Mailer: Trac 0.11.7, by Edgewall Software
To: jeff.hodges@kingsmountain.com
X-Trac-Project: websec
Date: Fri, 08 Jul 2011 22:15:12 -0000
X-URL: http://tools.ietf.org/websec/
X-Trac-Ticket-URL: http://trac.tools.ietf.org/wg/websec/trac/ticket/5
Message-ID: <070.a9f98ae172e5a2b1327b06b3743756c3@trac.tools.ietf.org>
X-Trac-Ticket-ID: 5
X-SA-Exim-Connect-IP: ::1
X-SA-Exim-Rcpt-To: jeff.hodges@kingsmountain.com, websec@ietf.org
X-SA-Exim-Mail-From: trac+websec@trac.tools.ietf.org
X-SA-Exim-Scanned: No (on zinfandel.tools.ietf.org); SAEximRunCond expanded to false
X-Mailman-Approved-At: Fri, 08 Jul 2011 15:19:18 -0700
Cc: websec@ietf.org
Subject: [websec] #5: Clarify need for IncludeSubDomains
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Jul 2011 22:15:13 -0000

#5: Clarify need for IncludeSubDomains

 Yes, this is an unfortunate consequence of the way cookies work.
 Suppose you wanted to protect the confidentiality of a Secure cookie
 (i.e., a cookie with the Secure flag set), which, actually, is the
 primary use case for the header.  Further suppose that this cookie is
 a domain cookie (e.g., set for the entire example.com domain).  Now,
 if the attacker causes the browser to request
 https://aiodsfnuiasnis.example.com/, then:

 1) We're unlikely to have the HSTS policy bit for
 aiodsfnuiasnis.example.com.
 2) The request for https://aiodsfnuiasnis.example.com will include the
 Secure cookie.

 If the attacker then substitutes his certificate, the user will be
 able to click through the certificate error, which lets the attacker
 obtain the cookie we're trying to protect.

 If we remove the "includeSubDomains" directive, that means sites can't
 use HSTS to protect domain cookies.

-- 
-------------------------------------------+--------------------------------
 Reporter:  jeff.hodges@…                  |       Owner:  =JeffH
     Type:  defect                         |      Status:  new   
 Priority:  major                          |   Milestone:        
Component:  strict-transport-sec           |     Version:        
 Severity:  -                              |    Keywords:        
-------------------------------------------+--------------------------------

Ticket URL: <http://trac.tools.ietf.org/wg/websec/trac/ticket/5>
websec <http://tools.ietf.org/websec/>

v2.23.0 | Report a Bug | By Email