Re: [websec] HSTS: Infinite max-age to address NTP spoofing attack?

Tom Ritter <tom@ritter.vg> Sat, 08 November 2014 00:14 UTC

Return-Path: <tom@ritter.vg>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A62681A0066 for <websec@ietfa.amsl.com>; Fri, 7 Nov 2014 16:14:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.379
X-Spam-Level:
X-Spam-Status: No, score=-1.379 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CYunpsR1IRFm for <websec@ietfa.amsl.com>; Fri, 7 Nov 2014 16:13:58 -0800 (PST)
Received: from mail-ig0-x235.google.com (mail-ig0-x235.google.com [IPv6:2607:f8b0:4001:c05::235]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7C2CE1A000E for <websec@ietf.org>; Fri, 7 Nov 2014 16:13:58 -0800 (PST)
Received: by mail-ig0-f181.google.com with SMTP id l13so6894607iga.2 for <websec@ietf.org>; Fri, 07 Nov 2014 16:13:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ritter.vg; s=vg; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=PbaF3CDigeavFdCscKSMFH5vZ3e3YkQJfdwipNq7+3A=; b=pn+ICUtJHY9eeCoTZXZ6XMj+FjpvCmyl5cEnFB9/v/nXH6OpKEDzNaTPBFz4TU7CoF TapSuKG0/Jr4eJXQAxCdPp8AwP6XHc8fkPXZUOL3TpiqddBGwzpsqZRaePaN3so/n1qE I6mEQDGDXH9OE0QwivvLt0wPudt4xy2UwaiiI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=PbaF3CDigeavFdCscKSMFH5vZ3e3YkQJfdwipNq7+3A=; b=jJ8RrexWhGgyev6wCHAdnq3CZ2hHzEyf6iPBGem76pXgK4/5aQo583clkoATCMpE6b lwvVme/uAX87ylCSbJmFKpuMBxEMpN9cwDyfP6ZFBk8csG9sa/HisSBFjah+pI1irhVa f3MHNB/g9T0bO1dIs7iegdhi4W3yocyIB+gnIzZ163EjCZ8yVdBwxGNl3fAZhJL0nbgn QwfpsDe54DtTBcFRfnQFRbls/uRTLg9DptW3OF5agK6mlPSuccjDOmeGOiKWfCJuxUVv 6gabuzVda6jXmKDHog+OJcW7C6ovZpKdoQLzV6EeYSLmJTFE2Mty37ADIaFtVQD3wgXf XhDQ==
X-Gm-Message-State: ALoCoQnAa+b2OpX3RnrbV6cHmHM7YotUFiWxXUCEBJlUtjv/Jb2GRM5JVh2F1laLXLFDMgQ7ctYO
X-Received: by 10.107.3.101 with SMTP id 98mr16659798iod.25.1415405637695; Fri, 07 Nov 2014 16:13:57 -0800 (PST)
MIME-Version: 1.0
Received: by 10.107.170.73 with HTTP; Fri, 7 Nov 2014 16:13:37 -0800 (PST)
In-Reply-To: <BAY405-EAS15381E2B86B576B335C1341FF850@phx.gbl>
References: <BAY405-EAS15381E2B86B576B335C1341FF850@phx.gbl>
From: Tom Ritter <tom@ritter.vg>
Date: Fri, 7 Nov 2014 18:13:37 -0600
Message-ID: <CA+cU71kLTXuzb90u3_MamTcyvn8jbQ-1JauBKhKzFRXi75ebBQ@mail.gmail.com>
To: Xiaoyin Liu <xiaoyin.l@outlook.com>
Content-Type: text/plain; charset=ISO-8859-1
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/tPCgxo8TJDKDV8zj7AP2eewF6no
Cc: "websec@ietf.org" <websec@ietf.org>
Subject: Re: [websec] HSTS: Infinite max-age to address NTP spoofing attack?
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 08 Nov 2014 00:14:01 -0000

On 7 November 2014 13:28, Xiaoyin Liu <xiaoyin.l@outlook.com>; wrote:
> For instance, if Twitter wants to gracefully switch to HTTP. It needs to
> send max-age=0 for twenty years in order to ensure that no one is locked
> out. But planning ahead twenty years is impossible. So for Twitter switching
> from twenty years to infinity doesn't add more risks.

With something concrete, Paypal just jumped to 2 years:
https://twitter.com/equalsJeffH/status/530840852243832833 Maybe Jeff
can weigh in on what it took to get to that confidence level and
whether he/they would rather have 'infinite'.

-tom