Re: [websec] Certificate Pinning via HSTS (.txt version)

davidillsley@gmail.com Tue, 13 September 2011 21:22 UTC

Return-Path: <davidillsley@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A7E9A11E80EC for <websec@ietfa.amsl.com>; Tue, 13 Sep 2011 14:22:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.598
X-Spam-Level:
X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YO94ct9skdHv for <websec@ietfa.amsl.com>; Tue, 13 Sep 2011 14:22:01 -0700 (PDT)
Received: from mail-wy0-f172.google.com (mail-wy0-f172.google.com [74.125.82.172]) by ietfa.amsl.com (Postfix) with ESMTP id 3188211E80CA for <websec@ietf.org>; Tue, 13 Sep 2011 14:22:01 -0700 (PDT)
Received: by wyg24 with SMTP id 24so1019032wyg.31 for <websec@ietf.org>; Tue, 13 Sep 2011 14:24:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=subject:mime-version:content-type:from:in-reply-to:date:cc :message-id:references:to:x-mailer; bh=mwe3Apu8ZPOWOrBDkqAges/ElfaHQNHjvKaddTGQud8=; b=FD57F4p69nS+OgpF/9wYajU+Tw8/PLV37MwMss+sq8ulhV4oKWr7z8x8N9ocgO2oU8 5sr5Q/FU6BZO/8Y3vOOghEx1wS9xJwRlC7yJDjHROTwi/FFx5N5XHHwZzKyG5Udc6uSm +wh6ljxuGaLXHmGZrmO8MjYG66Sm4fXyOI7hg=
Received: by 10.216.138.142 with SMTP id a14mr1395239wej.63.1315949047701; Tue, 13 Sep 2011 14:24:07 -0700 (PDT)
Received: from unknown-04-0c-ce-d5-9a-fe.config (87-194-130-80.bethere.co.uk. [87.194.130.80]) by mx.google.com with ESMTPS id o7sm1857095wbh.8.2011.09.13.14.24.05 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 13 Sep 2011 14:24:06 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1244.3)
Content-Type: multipart/alternative; boundary="Apple-Mail=_86974CBF-479A-411D-BF84-B71614AEA966"
From: davidillsley@gmail.com
In-Reply-To: <CAOuvq20H+pG1AF0u-=-Ow9oR=uGRb-wDwrFE6dPmT=HbvnO6VA@mail.gmail.com>
Date: Tue, 13 Sep 2011 22:24:05 +0100
Message-Id: <6D3E0CA6-E990-4D89-9AEE-C03066D0656E@gmail.com>
References: <4E6E9B77.1020802@KingsMountain.com> <4E6F9DC6.2080006@stpeter.im> <FA8A58ED-DD2B-446B-9F01-9D1D25140569@checkpoint.com> <4E6FB7CB.3020309@extendedsubset.com> <CAOuvq20H+pG1AF0u-=-Ow9oR=uGRb-wDwrFE6dPmT=HbvnO6VA@mail.gmail.com>
To: Chris Palmer <palmer@google.com>
X-Mailer: Apple Mail (2.1244.3)
Cc: IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] Certificate Pinning via HSTS (.txt version)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Sep 2011 21:22:02 -0000

On 13 Sep 2011, at 21:35, Chris Palmer wrote:
> <snip>
> sites; small sites may have to choose no pinning or potentially
> bricking their site (up to the maxAge window). This is not worse than
> the status quo."""

What about sites which don't currently use https at all? The DNS records for theregister.co.uk were redirected the other week. An attacker who could do that could redirect to https, then set a very long max-age pin. At that point, they'd be dependent on the browser vendor unpinning affected users, right?
David