[websec] [Errata Rejected] RFC6797 (4075)

RFC Errata System <rfc-editor@rfc-editor.org> Mon, 11 August 2014 16:33 UTC

Return-Path: <wwwrun@rfc-editor.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 71D0C1A0584; Mon, 11 Aug 2014 09:33:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.57
X-Spam-Status: No, score=-102.57 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.668, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id U1dDpnlWJ1y3; Mon, 11 Aug 2014 09:33:20 -0700 (PDT)
Received: from rfc-editor.org (rfc-editor.org [IPv6:2001:1900:3001:11::31]) by ietfa.amsl.com (Postfix) with ESMTP id 000D21A05C0; Mon, 11 Aug 2014 09:33:19 -0700 (PDT)
Received: by rfc-editor.org (Postfix, from userid 30) id E62D318000E; Mon, 11 Aug 2014 09:31:35 -0700 (PDT)
To: e_lawrence@hotmail.com, Jeff.Hodges@PayPal.com, collin.jackson@sv.cmu.edu, ietf@adambarth.com
X-PHP-Originating-Script: 1005:errata_mail_lib.php
From: RFC Errata System <rfc-editor@rfc-editor.org>
Message-Id: <20140811163135.E62D318000E@rfc-editor.org>
Date: Mon, 11 Aug 2014 09:31:35 -0700
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/oIWZ7yvgEv_iDKibkeusFg1FW3o
Cc: barryleiba@computer.org, websec@ietf.org, iesg@ietf.org, rfc-editor@rfc-editor.org
Subject: [websec] [Errata Rejected] RFC6797 (4075)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Aug 2014 16:33:21 -0000

The following errata report has been rejected for RFC6797,
"HTTP Strict Transport Security (HSTS)".

You may review the report below and at:

Status: Rejected
Type: Technical

Reported by: Eric Lawrence <e_lawrence@hotmail.com>
Date Reported: 2014-08-08
Rejected by: Barry Leiba (IESG)

Section: 14

Original Text
   Without the "includeSubDomains" directive, HSTS is unable to protect
   such Secure-flagged domain cookies.

Corrected Text
   Without the "includeSubDomains" directive, HSTS is unable to protect
   such Secure-flagged domain cookies.

   Even with the "includeSubDomains" directive, the unavailability of 
   an "includeParent" directive means that an Active MITM attacker can 
   perform a cookie-injection attack against an otherwise 
   HSTS-protected victim domain.

   Consider the following scenario:

    The user visits https://sub.example.com and gets a HSTS policy with
    includeSubdomains set. All subsequent navigations to 
    sub.example.com and its subdomains will be secure.

    An attacker causes the victim's browser to navigate to 
    http://example.com. Because the HSTS policy applies only to 
    sub.example.com and its superdomain matches, this insecure 
    navigation is not blocked by the user agent.

    The attacker intercepts this insecure request and returns a 
    response that sets a cookie on the entire domain tree using a 
    Set-Cookie header.

    All subsequent requests to sub.example.com carry the injected
    cookie, despite the use of HSTS.

To mitigate this attack, HSTS-protected websites should perform a background fetch of a resource at the first-level domain. This resource should carry a HSTS header that will apply to the entire domain and all subdomains.
This is a valid issue, but not suitable for the errata system.  The websec working group is discussing handling this with a short document to update RFC 6797.

RFC6797 (draft-ietf-websec-strict-transport-sec-14)
Title               : HTTP Strict Transport Security (HSTS)
Publication Date    : November 2012
Author(s)           : J. Hodges, C. Jackson, A. Barth
Category            : PROPOSED STANDARD
Source              : Web Security
Area                : Applications
Stream              : IETF
Verifying Party     : IESG