MIME-Version: 1.0
In-Reply-To: <9324C2B1-7DAA-418B-87C2-7D4CFABD8B1C@gmail.com>
References: <53E708DB.4010505@KingsMountain.com> <53E74295.7060402@gondrom.org>
 <9324C2B1-7DAA-418B-87C2-7D4CFABD8B1C@gmail.com>
From: Joseph Bonneau <jbonneau@gmail.com>
Date: Sun, 10 Aug 2014 19:17:56 -0400
Message-ID: <CAOe4Uik8F44zCLBVvZFEDTURTWcVc_u4oz=AVMn8eFPpOKKQjw@mail.gmail.com>
To: Yoav Nir <ynir.ietf@gmail.com>
Content-Type: multipart/alternative; boundary=20cf302ef2ba9f52c905004ea8dd
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/jfAXljLY-Gvd9hzFKNP1zIB445c
Cc: "<websec@ietf.org>" <websec@ietf.org>,
 "Michael J. Kranch" <mkranch@princeton.edu>
Subject: Re: [websec] fyi: State of HSTS Deployment in 2013-Oct
Precedence: list

--20cf302ef2ba9f52c905004ea8dd
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Hi all,

Michael Kranch and I have undertaken a similar effort this summer to study
both HSTS and key pinning in practice. Standard disclaimer, this is a
working draft that hasn't been peer reviewed yet (it's currently under
submission), but here's a draft of our findings:
http://jbonneau.com/doc/KB14-hsts_pinning_survey_working_draft.pdf

Compared to Lucas et al.'s paper our crawl was actually slightly smaller
(top 10k sites) but is more up-to-date and we checked for a few more
things. In particular we have a breakdown of bugs due to errors with the
interaction of cookies and pinning/HSTS and a survey of pinning "mixed
content" which I haven't seen documented previously. We'll get the code up
publicly soon as well.

Hopefully our work is also of interest to this list and we'd very much
appreciate any feedback!

Cheers,

Joe


On Sun, Aug 10, 2014 at 7:38 AM, Yoav Nir <ynir.ietf@gmail.com> wrote:

>
> On Aug 10, 2014, at 12:59 PM, Tobias Gondrom <tobias.gondrom@gondrom.org>
> wrote:
>
> > Hi Jeff,
> >
> > thanks for sharing. Good paper and interesting read.
> >
> > Even though things are slowly picking up in adoption, a bit
> > disappointing it's been only 277 out of 100000 sites in Oct 2013. (on a
> > personal note: this is consistent with my personal anecdotal experience=
:
> > as part of overall secure development training, I also mention HSTS to
> > developers a couple of times per year, and so far nearly none of them
> > used it before=E2=80=A6)
>
> My anecdotal evidence is that I tried to promote it at the company where =
I
> work. We sell (among other things) an SSL-VPN gateway. That is pretty muc=
h
> a pre-packaged web server, configurable to provide access to company
> resources such as email, ERP and whatever else employees need over a web
> interface.
>
> At first this looked to me like a great candidate for HSTS - it=E2=80=99s=
 only
> HTTPS, no HTTP. It=E2=80=99s pre-packaged, so we could add it without the
> administrators needing to do any work. In the end, what killed the idea w=
as
> what happens when certificates expire or when a valid certificate is
> replaced by an almost-valid certificate (missing alternate name). The
> administrators of our products run the gamut from IT professionals who ha=
ve
> been through our administration courses all the way to the CEO=E2=80=99s =
nephew
> who=E2=80=99s really good with computers (=E2=80=98cause he=E2=80=99s got=
 his own Facebook profile
> and everything). We felt it was too risky to just ship the server with HS=
TS
> on.
>
> It=E2=80=99s still possible to turn it on by editing some Apache configur=
ation
> files, but you really want security to be on by default.
>
> Yoav
>
> _______________________________________________
> websec mailing list
> websec@ietf.org
> https://www.ietf.org/mailman/listinfo/websec
>

--20cf302ef2ba9f52c905004ea8dd
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Hi all,<div><br></div><div>Michael Kranch and I have under=
taken a similar effort this summer to study both HSTS and key pinning in pr=
actice. Standard disclaimer, this is a working draft that hasn&#39;t been p=
eer reviewed yet (it&#39;s currently under submission), but here&#39;s a dr=
aft of our findings:=C2=A0<a href=3D"http://jbonneau.com/doc/KB14-hsts_pinn=
ing_survey_working_draft.pdf">http://jbonneau.com/doc/KB14-hsts_pinning_sur=
vey_working_draft.pdf</a></div>

<div><br></div><div>Compared to Lucas et al.&#39;s paper our crawl was actu=
ally slightly smaller (top 10k sites) but is more up-to-date and we checked=
 for a few more things. In particular we have a breakdown of bugs due to er=
rors with the interaction of cookies and pinning/HSTS and a survey of pinni=
ng &quot;mixed content&quot; which I haven&#39;t seen documented previously=
. We&#39;ll get the code up publicly soon as well.</div>

<div><br></div><div>Hopefully our work is also of interest to this list and=
 we&#39;d very much appreciate any feedback!</div><div><br></div><div>Cheer=
s,</div><div><br></div><div>Joe</div></div><div class=3D"gmail_extra"><br>

<br><div class=3D"gmail_quote">On Sun, Aug 10, 2014 at 7:38 AM, Yoav Nir <s=
pan dir=3D"ltr">&lt;<a href=3D"mailto:ynir.ietf@gmail.com" target=3D"_blank=
">ynir.ietf@gmail.com</a>&gt;</span> wrote:<br><blockquote class=3D"gmail_q=
uote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1e=
x">

<div class=3D""><br>
On Aug 10, 2014, at 12:59 PM, Tobias Gondrom &lt;<a href=3D"mailto:tobias.g=
ondrom@gondrom.org">tobias.gondrom@gondrom.org</a>&gt; wrote:<br>
<br>
&gt; Hi Jeff,<br>
&gt;<br>
&gt; thanks for sharing. Good paper and interesting read.<br>
&gt;<br>
&gt; Even though things are slowly picking up in adoption, a bit<br>
&gt; disappointing it&#39;s been only 277 out of 100000 sites in Oct 2013. =
(on a<br>
&gt; personal note: this is consistent with my personal anecdotal experienc=
e:<br>
&gt; as part of overall secure development training, I also mention HSTS to=
<br>
&gt; developers a couple of times per year, and so far nearly none of them<=
br>
</div>&gt; used it before=E2=80=A6)<br>
<br>
My anecdotal evidence is that I tried to promote it at the company where I =
work. We sell (among other things) an SSL-VPN gateway. That is pretty much =
a pre-packaged web server, configurable to provide access to company resour=
ces such as email, ERP and whatever else employees need over a web interfac=
e.<br>


<br>
At first this looked to me like a great candidate for HSTS - it=E2=80=99s o=
nly HTTPS, no HTTP. It=E2=80=99s pre-packaged, so we could add it without t=
he administrators needing to do any work. In the end, what killed the idea =
was what happens when certificates expire or when a valid certificate is re=
placed by an almost-valid certificate (missing alternate name). The adminis=
trators of our products run the gamut from IT professionals who have been t=
hrough our administration courses all the way to the CEO=E2=80=99s nephew w=
ho=E2=80=99s really good with computers (=E2=80=98cause he=E2=80=99s got hi=
s own Facebook profile and everything). We felt it was too risky to just sh=
ip the server with HSTS on.<br>


<br>
It=E2=80=99s still possible to turn it on by editing some Apache configurat=
ion files, but you really want security to be on by default.<br>
<span class=3D"HOEnZb"><font color=3D"#888888"><br>
Yoav<br>
</font></span><div class=3D"HOEnZb"><div class=3D"h5"><br>
_______________________________________________<br>
websec mailing list<br>
<a href=3D"mailto:websec@ietf.org">websec@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/websec" target=3D"_blank">=
https://www.ietf.org/mailman/listinfo/websec</a><br>
</div></div></blockquote></div><br></div>

--20cf302ef2ba9f52c905004ea8dd--