[websec] [Technical Errata Reported] RFC6797 (4075)

RFC Errata System <rfc-editor@rfc-editor.org> Fri, 08 August 2014 19:07 UTC

Return-Path: <wwwrun@rfc-editor.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 304831A0276 for <websec@ietfa.amsl.com>; Fri, 8 Aug 2014 12:07:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.903
X-Spam-Status: No, score=-106.903 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id V-wFb5g6S3-X for <websec@ietfa.amsl.com>; Fri, 8 Aug 2014 12:07:08 -0700 (PDT)
Received: from rfc-editor.org (rfc-editor.org []) by ietfa.amsl.com (Postfix) with ESMTP id 6F2E41A0272 for <websec@ietf.org>; Fri, 8 Aug 2014 12:07:08 -0700 (PDT)
Received: by rfc-editor.org (Postfix, from userid 30) id 56A431801A4; Fri, 8 Aug 2014 12:05:33 -0700 (PDT)
To: Jeff.Hodges@PayPal.com, collin.jackson@sv.cmu.edu, ietf@adambarth.com, barryleiba@computer.org, presnick@qti.qualcomm.com, tobias.gondrom@gondrom.org, ynir.ietf@gmail.com
X-PHP-Originating-Script: 6000:errata_mail_lib.php
From: RFC Errata System <rfc-editor@rfc-editor.org>
Message-Id: <20140808190533.56A431801A4@rfc-editor.org>
Date: Fri, 08 Aug 2014 12:05:33 -0700
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/vSdh2P8ZYsVXI2o_Yl3D9w4J9i8
X-Mailman-Approved-At: Sat, 09 Aug 2014 13:21:12 -0700
Cc: e_lawrence@hotmail.com, websec@ietf.org, rfc-editor@rfc-editor.org
Subject: [websec] [Technical Errata Reported] RFC6797 (4075)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Aug 2014 19:07:10 -0000

The following errata report has been submitted for RFC6797,
"HTTP Strict Transport Security (HSTS)".

You may review the report below and at:

Type: Technical
Reported by: Eric Lawrence <e_lawrence@hotmail.com>

Section: 14

Original Text
   Without the "includeSubDomains" directive, HSTS is unable to protect
   such Secure-flagged domain cookies.

Corrected Text
   Without the "includeSubDomains" directive, HSTS is unable to protect
   such Secure-flagged domain cookies.

   Even with the "includeSubDomains" directive, the unavailability of 
   an "includeParent" directive means that an Active MITM attacker can 
   perform a cookie-injection attack against an otherwise 
   HSTS-protected victim domain.

   Consider the following scenario:

    The user visits https://sub.example.com and gets a HSTS policy with
    includeSubdomains set. All subsequent navigations to 
    sub.example.com and its subdomains will be secure.

    An attacker causes the victim's browser to navigate to 
    http://example.com. Because the HSTS policy applies only to 
    sub.example.com and its superdomain matches, this insecure 
    navigation is not blocked by the user agent.

    The attacker intercepts this insecure request and returns a 
    response that sets a cookie on the entire domain tree using a 
    Set-Cookie header.

    All subsequent requests to sub.example.com carry the injected
    cookie, despite the use of HSTS.

To mitigate this attack, HSTS-protected websites should perform a background fetch of a resource at the first-level domain. This resource should carry a HSTS header that will apply to the entire domain and all subdomains.

This erratum is currently posted as "Reported". If necessary, please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party (IESG)
can log in to change the status and edit the report, if necessary. 

RFC6797 (draft-ietf-websec-strict-transport-sec-14)
Title               : HTTP Strict Transport Security (HSTS)
Publication Date    : November 2012
Author(s)           : J. Hodges, C. Jackson, A. Barth
Category            : PROPOSED STANDARD
Source              : Web Security
Area                : Applications
Stream              : IETF
Verifying Party     : IESG