[websec] #5: Clarify need for IncludeSubDomains
"websec issue tracker" <trac+websec@trac.tools.ietf.org> Fri, 08 July 2011 22:15 UTC
Return-Path: <trac+websec@trac.tools.ietf.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A4D121F8C50 for <websec@ietfa.amsl.com>; Fri, 8 Jul 2011 15:15:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.6
X-Spam-Level:
X-Spam-Status: No, score=-102.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mhHKKYgdAe2h for <websec@ietfa.amsl.com>; Fri, 8 Jul 2011 15:15:12 -0700 (PDT)
Received: from zinfandel.tools.ietf.org (zinfandel.tools.ietf.org [IPv6:2001:1890:1112:1::2a]) by ietfa.amsl.com (Postfix) with ESMTP id B473E21F8C4A for <websec@ietf.org>; Fri, 8 Jul 2011 15:15:12 -0700 (PDT)
Received: from localhost ([::1] helo=zinfandel.tools.ietf.org) by zinfandel.tools.ietf.org with esmtp (Exim 4.76) (envelope-from <trac+websec@trac.tools.ietf.org>) id 1QfJKK-0004vA-Ih; Fri, 08 Jul 2011 15:15:12 -0700
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: websec issue tracker <trac+websec@trac.tools.ietf.org>
X-Trac-Version: 0.11.7
Precedence: bulk
Auto-Submitted: auto-generated
X-Mailer: Trac 0.11.7, by Edgewall Software
To: jeff.hodges@kingsmountain.com
X-Trac-Project: websec
Date: Fri, 08 Jul 2011 22:15:12 -0000
X-URL: http://tools.ietf.org/websec/
X-Trac-Ticket-URL: http://trac.tools.ietf.org/wg/websec/trac/ticket/5
Message-ID: <070.a9f98ae172e5a2b1327b06b3743756c3@trac.tools.ietf.org>
X-Trac-Ticket-ID: 5
X-SA-Exim-Connect-IP: ::1
X-SA-Exim-Rcpt-To: jeff.hodges@kingsmountain.com, websec@ietf.org
X-SA-Exim-Mail-From: trac+websec@trac.tools.ietf.org
X-SA-Exim-Scanned: No (on zinfandel.tools.ietf.org); SAEximRunCond expanded to false
X-Mailman-Approved-At: Fri, 08 Jul 2011 15:19:18 -0700
Cc: websec@ietf.org
Subject: [websec] #5: Clarify need for IncludeSubDomains
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Jul 2011 22:15:13 -0000
#5: Clarify need for IncludeSubDomains Yes, this is an unfortunate consequence of the way cookies work. Suppose you wanted to protect the confidentiality of a Secure cookie (i.e., a cookie with the Secure flag set), which, actually, is the primary use case for the header. Further suppose that this cookie is a domain cookie (e.g., set for the entire example.com domain). Now, if the attacker causes the browser to request https://aiodsfnuiasnis.example.com/, then: 1) We're unlikely to have the HSTS policy bit for aiodsfnuiasnis.example.com. 2) The request for https://aiodsfnuiasnis.example.com will include the Secure cookie. If the attacker then substitutes his certificate, the user will be able to click through the certificate error, which lets the attacker obtain the cookie we're trying to protect. If we remove the "includeSubDomains" directive, that means sites can't use HSTS to protect domain cookies. -- -------------------------------------------+-------------------------------- Reporter: jeff.hodges@… | Owner: =JeffH Type: defect | Status: new Priority: major | Milestone: Component: strict-transport-sec | Version: Severity: - | Keywords: -------------------------------------------+-------------------------------- Ticket URL: <http://trac.tools.ietf.org/wg/websec/trac/ticket/5> websec <http://tools.ietf.org/websec/>
- [websec] #5: Clarify need for IncludeSubDomains websec issue tracker
- Re: [websec] #5: Clarify need for IncludeSubDomai… websec issue tracker
- Re: [websec] #5: Clarify need for IncludeSubDomai… websec issue tracker