Re: [websec] Comments on "I am testing HSTS"-directive and Issue #41 add parameter "hardfail=no"?
=JeffH <Jeff.Hodges@KingsMountain.com> Wed, 20 June 2012 17:53 UTC
Return-Path: <Jeff.Hodges@KingsMountain.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D44C121F870F for <websec@ietfa.amsl.com>; Wed, 20 Jun 2012 10:53:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.495
X-Spam-Level:
X-Spam-Status: No, score=-102.495 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, GB_I_INVITATION=-2, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uMhFmsrWQ79I for <websec@ietfa.amsl.com>; Wed, 20 Jun 2012 10:53:16 -0700 (PDT)
Received: from oproxy1-pub.bluehost.com (oproxy1.bluehost.com [IPv6:2605:dc00:100:2::a1]) by ietfa.amsl.com (Postfix) with SMTP id 16AD421F86F0 for <websec@ietf.org>; Wed, 20 Jun 2012 10:53:15 -0700 (PDT)
Received: (qmail 6526 invoked by uid 0); 20 Jun 2012 17:53:15 -0000
Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by oproxy1.bluehost.com with SMTP; 20 Jun 2012 17:53:15 -0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=kingsmountain.com; s=default; h=Content-Transfer-Encoding:Content-Type:Subject:To:MIME-Version:From:Date:Message-ID; bh=HjQ7P5fzMxZEgrdlM7K5YgMe637JDHh/fXppejvw7Xs=; b=ScBFM/ySu+5IdvFT8Qdp369kf3i86p6xrLYxNRkI+cCBVc3TZISuD/CyYbv8gQ9LGUHGp4M7b0uWOfQAJwMIUJLomvSn2Rm7tATC56RCw/HBLP/hTxcJn5jW8nEssou6;
Received: from [216.113.168.128] (port=11047 helo=[10.244.136.109]) by box514.bluehost.com with esmtpsa (TLSv1:CAMELLIA256-SHA:256) (Exim 4.76) (envelope-from <Jeff.Hodges@KingsMountain.com>) id 1ShP5e-0001sr-Uw for websec@ietf.org; Wed, 20 Jun 2012 11:53:14 -0600
Message-ID: <4FE20E0A.8030603@KingsMountain.com>
Date: Wed, 20 Jun 2012 10:53:14 -0700
From: =JeffH <Jeff.Hodges@KingsMountain.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20120430 Thunderbird/12.0.1
MIME-Version: 1.0
To: IETF WebSec WG <websec@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 216.113.168.128 authed with jeff.hodges+kingsmountain.com}
Subject: Re: [websec] Comments on "I am testing HSTS"-directive and Issue #41 add parameter "hardfail=no"?
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Jun 2012 17:53:17 -0000
Hi, Tobias wrote.. > > I would like to ask for feedback/opinions from the WG on this draft > regarding the following open issue: > > - in Paris we had a discussion about whether HSTS header should specify > a "I am testing HSTS" directive. There was some support for this in the > room but no consensus. ptr to meeting minutes below at [1]. > I would like to make a final invitation for comments/views/opinions on this? Please also note that I comment on this near the end of this recent message.. Re: [websec] Issue #41 add parameter indicating whether to hardfail or not https://www.ietf.org/mail-archive/web/websec/current/msg01213.html Here's what I wrote in that msg: In the Paris WG session, the discussion of the above morphed to thinking about having a new "this site is testing HSTS" directive. In thinking about this, we don't think it is really necessary because if one declares one's web app as being HSTS, one can watch server logs to see if any requests come in over plain http, and then go track those issues down. You don't really need the user agent's help to figure out what is happening. It's just going to mechanically transform all http URIs pointing to your site into https ones, and try to load them, and if they 404, you'll know it (via your logs). It's arguably different with Content Security Policy (CSP) -- which is where the discussed notion came from ("report-only") -- because in CSP, the user agent is enforcing policy on loaded content within itself and there may be no other way to figure out what it's doing. > - And as this is somehow related: > the still open #41: should HSTS have an option like "hardfail=no"? > Our meeting discussion in Paris did not show consensus in support of this. And I commented on that in the beginning of the above-mentioned message. HTH, =JeffH [1] > and just in case anyone wants to read up on our meeting minutes from Paris: > http://www.ietf.org/proceedings/83/minutes/minutes-83-websec.txt