Re: [websec] fyi: State of HSTS Deployment in 2013-Oct

Joseph Bonneau <> Sun, 10 August 2014 23:18 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 3BD901A017A for <>; Sun, 10 Aug 2014 16:18:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Y-fQg2Bin9ie for <>; Sun, 10 Aug 2014 16:18:41 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400c:c03::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 25ADF1A0178 for <>; Sun, 10 Aug 2014 16:18:41 -0700 (PDT)
Received: by with SMTP id hy4so10795569vcb.36 for <>; Sun, 10 Aug 2014 16:18:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=1pFAVtmwExB3ZYKNAkclBozrUDicZEiOSw4/0P2o7Eg=; b=uXloBR7fbcwfH+zsCBEfHLASRyfDL98RvHF1YxrIZW3oOi/hBKTPJkJxBkVTY3Y48a DOB9FMVfHxkU5wUiYWKCBMqYZix9WjIbJXvKmdwa0GflpdBrzY0q0051iqN4hgiRzmlv 5A1OiBLUmr3UnmajBqVECt1h0h5I3O8CE4vXJrrFgzxB6uSOixFK7jGJX0Ct2uhpUD2N m0dSWkXWvAnzm4anGPYzM041KJWWIKX5+uctfMIDSCScOP1Tcw5NF1xmwBPX9suW4Cd4 oHmUThn8xfcBMNHVS29lBD8Z8sYV1kk/BKiDcEhwde0c1s/xXagQ+rTWehbbvqn95BuC Pv4g==
X-Received: by with SMTP id b10mr33083vda.84.1407712720014; Sun, 10 Aug 2014 16:18:40 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Sun, 10 Aug 2014 16:17:56 -0700 (PDT)
In-Reply-To: <>
References: <> <> <>
From: Joseph Bonneau <>
Date: Sun, 10 Aug 2014 19:17:56 -0400
Message-ID: <>
To: Yoav Nir <>
Content-Type: multipart/alternative; boundary="20cf302ef2ba9f52c905004ea8dd"
Cc: "<>" <>, "Michael J. Kranch" <>
Subject: Re: [websec] fyi: State of HSTS Deployment in 2013-Oct
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 10 Aug 2014 23:18:43 -0000

Hi all,

Michael Kranch and I have undertaken a similar effort this summer to study
both HSTS and key pinning in practice. Standard disclaimer, this is a
working draft that hasn't been peer reviewed yet (it's currently under
submission), but here's a draft of our findings:

Compared to Lucas et al.'s paper our crawl was actually slightly smaller
(top 10k sites) but is more up-to-date and we checked for a few more
things. In particular we have a breakdown of bugs due to errors with the
interaction of cookies and pinning/HSTS and a survey of pinning "mixed
content" which I haven't seen documented previously. We'll get the code up
publicly soon as well.

Hopefully our work is also of interest to this list and we'd very much
appreciate any feedback!



On Sun, Aug 10, 2014 at 7:38 AM, Yoav Nir <> wrote:

> On Aug 10, 2014, at 12:59 PM, Tobias Gondrom <>
> wrote:
> > Hi Jeff,
> >
> > thanks for sharing. Good paper and interesting read.
> >
> > Even though things are slowly picking up in adoption, a bit
> > disappointing it's been only 277 out of 100000 sites in Oct 2013. (on a
> > personal note: this is consistent with my personal anecdotal experience:
> > as part of overall secure development training, I also mention HSTS to
> > developers a couple of times per year, and so far nearly none of them
> > used it before…)
> My anecdotal evidence is that I tried to promote it at the company where I
> work. We sell (among other things) an SSL-VPN gateway. That is pretty much
> a pre-packaged web server, configurable to provide access to company
> resources such as email, ERP and whatever else employees need over a web
> interface.
> At first this looked to me like a great candidate for HSTS - it’s only
> HTTPS, no HTTP. It’s pre-packaged, so we could add it without the
> administrators needing to do any work. In the end, what killed the idea was
> what happens when certificates expire or when a valid certificate is
> replaced by an almost-valid certificate (missing alternate name). The
> administrators of our products run the gamut from IT professionals who have
> been through our administration courses all the way to the CEO’s nephew
> who’s really good with computers (‘cause he’s got his own Facebook profile
> and everything). We felt it was too risky to just ship the server with HSTS
> on.
> It’s still possible to turn it on by editing some Apache configuration
> files, but you really want security to be on by default.
> Yoav
> _______________________________________________
> websec mailing list