Re: [websec] fyi: State of HSTS Deployment in 2013-Oct
Tobias Gondrom <tobias.gondrom@gondrom.org> Sun, 10 August 2014 09:59 UTC
Return-Path: <tobias.gondrom@gondrom.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DAD3B1A06B3 for <websec@ietfa.amsl.com>; Sun, 10 Aug 2014 02:59:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -99.969
X-Spam-Level:
X-Spam-Status: No, score=-99.969 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.668, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 16xMvNpyWYGt for <websec@ietfa.amsl.com>; Sun, 10 Aug 2014 02:59:53 -0700 (PDT)
Received: from www.gondrom.org (www.gondrom.org [91.250.114.153]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A86FE1A06AD for <websec@ietf.org>; Sun, 10 Aug 2014 02:59:52 -0700 (PDT)
X-No-Relay: not in my network
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=gondrom.org; b=NbrzvQL2N0Z8+HRK5kvJRM1Ko6P3zRQ08H2aTSeAASlE4NeJ47PU9Cpyh2mIT+2MXUG/L1VI35P/D9Lq3iFhTSeNoLzXhF6OhCZAqw9hn7XClvYkGtaKEaFD5X6M+LOdO3n9Nj0sBwvPMme5q54k39cj7KhTK4feBdZLnBFxnzk=; h=X-No-Relay:X-No-Relay:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:CC:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding;
X-No-Relay: not in my network
X-No-Relay: not in my network
Received: from [192.168.0.6] (46-64-103-184.zone15.bethere.co.uk [46.64.103.184]) by www.gondrom.org (Postfix) with ESMTPSA id A57581539004F; Sun, 10 Aug 2014 11:59:49 +0200 (CEST)
Message-ID: <53E74295.7060402@gondrom.org>
Date: Sun, 10 Aug 2014 10:59:49 +0100
From: Tobias Gondrom <tobias.gondrom@gondrom.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: Jeff.Hodges@KingsMountain.com
References: <53E708DB.4010505@KingsMountain.com>
In-Reply-To: <53E708DB.4010505@KingsMountain.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/xIW4E6WM_4w-5QyHD_fbC6uzshU
Cc: websec@ietf.org
Subject: Re: [websec] fyi: State of HSTS Deployment in 2013-Oct
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 10 Aug 2014 09:59:56 -0000
Hi Jeff, thanks for sharing. Good paper and interesting read. Even though things are slowly picking up in adoption, a bit disappointing it's been only 277 out of 100000 sites in Oct 2013. (on a personal note: this is consistent with my personal anecdotal experience: as part of overall secure development training, I also mention HSTS to developers a couple of times per year, and so far nearly none of them used it before...) Best regards, Tobias Ps.: and as Lucas wrote, he initially prepared the document as a conference paper. In case he is interested, this might be an interesting submission for an AppSec conference in 2015 (the 2014 ones are unfortunately already finished or past CFP). (e.g. AppSecUS or AppSecEU) On 10/08/14 06:53, =JeffH wrote: > Here's an interesting & relevant draft paper by Lucas Garron (and > Andrew Bortz & Dan Boneh).. > > The State of HSTS Deployment: A Survey and Common Pitfalls > https://garron.net/crypto/hsts/hsts-2013.pdf > > Note that "S 8.5 Securing https://example.com from a subdomain" is > essentially the issue that Eric Lawrence recently filed against > RFC6797 HSTS. > > The paper is worth a read, and the scan code is here.. > > https://github.com/lgarron/HSTS/tree/scan > > ..see also the discussion in this thread on <security-dev@chromium.org>.. > > State of HSTS in on the Web (2013) > > https://groups.google.com/a/chromium.org/forum/#!topic/security-dev/Ibdf-x_uqEs > > > > HTH, > > =JeffH > > _______________________________________________ > websec mailing list > websec@ietf.org > https://www.ietf.org/mailman/listinfo/websec