Re: [websec] Safari restrictions to HSTS
Lucas Garron <lgarron@chromium.org> Mon, 05 February 2018 21:59 UTC
Return-Path: <lgarron@chromium.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E7BC8127011 for <websec@ietfa.amsl.com>; Mon, 5 Feb 2018 13:59:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8lxZLmv7mRNk for <websec@ietfa.amsl.com>; Mon, 5 Feb 2018 13:59:04 -0800 (PST)
Received: from mail-yw0-x233.google.com (mail-yw0-x233.google.com [IPv6:2607:f8b0:4002:c05::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 32DAB1241F8 for <websec@ietf.org>; Mon, 5 Feb 2018 13:59:04 -0800 (PST)
Received: by mail-yw0-x233.google.com with SMTP id x62so19507253ywg.11 for <websec@ietf.org>; Mon, 05 Feb 2018 13:59:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=6LuKi4PTYLcsy4HXNSJsCckOc6ILZsuim6UXBm+eHQM=; b=Osb6fewcyx4T1viGpGAyredY2S9g3h+EEhdxWy2DvVKxAPHOU4llUsRI1O6ojuoOE/ GW0Nyq7L5C1ZnqQimMrlz0tsCC+K3uVn53vQCTaofaHrcQZvws6lAhmTeQ6BUiozOQQa f8Z2eKyuVzjzkAf6pwYu5eQwgvxwqUwBj1XDg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=6LuKi4PTYLcsy4HXNSJsCckOc6ILZsuim6UXBm+eHQM=; b=l6I1/9arC7Rm4gN1pVVOBc2iHcPNPPm0sHBxmKDPd1AWYWnMa/u98aTVYcoM5rh877 FUc44TL6JknbCgrgYy1FLrrLliPGf3kWxnhE/pE1ep4usFk6G4SYydwwkWG2n5LvF55J 5nVDBAsFW3RmBoiCHZTu1pxTlBNIORs7XYXJcIIjxjwXkneEPdVAeO++Z7NaW3+75Kzy AHaWqkJgnNzeAw8SVk2W11txuZAcwym8omjaBoNdg+ebL/zCWSLWzsitKcVyVA/lTyyy NzE1brAnBZ2A5PWGGqXqc5QuHFz499+M86isLZH7hc6Z5J7GIrV2faGkTDKAYKjek2e/ TalA==
X-Gm-Message-State: APf1xPBEPG00ZGB8ioDF+xsNcwn8lf6Vva+LZw6R2aZtR2Q3aNnK5Pxw 8/6ngOFK64OlJwUkzN0o2HovYtV62Rj1l+xmsOpqZg==
X-Google-Smtp-Source: AH8x226hLOR+0gGdOwEGgqCqm8aUCY3EgjSQKdwG+zevVDCjh84nnVIllruhUC2h71MAAUic9ROhh89UsKOsCfmfuD0=
X-Received: by 10.37.162.135 with SMTP id c7mr178610ybi.247.1517867943127; Mon, 05 Feb 2018 13:59:03 -0800 (PST)
MIME-Version: 1.0
References: <F37486C4-5443-46EE-A2FE-8B3A4579AE62@apple.com>
In-Reply-To: <F37486C4-5443-46EE-A2FE-8B3A4579AE62@apple.com>
From: Lucas Garron <lgarron@chromium.org>
Date: Mon, 05 Feb 2018 21:58:52 +0000
Message-ID: <CANCvrdTWGLf1FV_ngmJKMk4UDAFiKjsEVtmchAmrXPiU7UT9hA@mail.gmail.com>
To: John Wilander <wilander@apple.com>
Cc: websec@ietf.org
Content-Type: multipart/alternative; boundary="089e0828aad89100c605647e2be5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/websec/xQOXRGnrjmNs1RtaIBbXzld7Mbk>
Subject: Re: [websec] Safari restrictions to HSTS
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Feb 2018 21:59:07 -0000
While I think it is is good to fight supercookies, I'd like to note that this kind of policy has performance implications. Suppose a site has a domain named short.example that redirects to longsitename.example: - http://short.example - Redirect - https://longsitename.example (Real-world examples: fb.me, bofa.com, bit.ly, t.co) Neither step in the redirect can set an HSTS header for the short.example host, which means that subsequent visits will not be protected. Caching or using permanent redirect codes can help, but are not as strong as HSTS (the site's caching max-age may not be as high, may be cleared with browsing data more easily, or may be evicted from cache by browsers more easily) and usually only applies to exact URLs – this will not work if short.example is e.g. a URL shortener with different URLs for different visits. It is possible to fix this by redirecting to HTTPS before going to another site: - http://short.example - Redirect - https://short.example - Set HSTS - Redirect - https://longsitename.example In fact, https://hstspreload.org/ currently enforces this as a dynamic HSTS best practice if you want to submit short.example to the HSTS preload list. However, for dynamic HSTS this incurs the performance penalty of an additional synchronous blocking HTTPS request for the first load – and back when I was maintaining the preload list I received a few concerned emails about this penalty. (Note that the performance penalty goes away for users who have short.example in their browser's HSTS preload list. But there is a multi-week gap while this affects all users before the preloaded site reaches their browser, and this will always affect users with clients that don't have an up-to-date HSTS preload list. Also, we may soon see a feature where not all sites on the preload list are shipped to all browser users.) If the response from https://longsitename.example is permitted to set HSTS for short.example, this has two benefits: - http://short.example always gets users to the final destination without a performance penalty. - *All* visits to https://longsitename.example can "prime" HSTS for short.example in case visitors use it in the future. - In fact, the main site can pre-emptively prime HSTS for *multiple* related sites without adding redirect hops for each one. This is currently possible in browsers other than Safari by requesting extra subresources, although it would be nice to have something more declarative <https://bugs.chromium.org/p/chromium/issues/detail?id=626180>. I think it would be nice if any cross-domain restrictions did not introduce dynamic HSTS security vs. performance tradeoffs for legitimate use cases like I described. One hacky way to solve this for my main example would be to allow HTTP responses to set an HSTS header for the domain while redirecting to another domain, but this contradicts the current spec and makes it easy to brick a site. (It would also not support general cross-domain priming.) »Lucas On Mon, Feb 5, 2018 at 8:08 AM John Wilander <wilander@apple.com> wrote: > Hi WebSec @ IETF! > > My name is John Wilander and I’m a security engineer on Apple’s WebKit > team. WebKit, and thus our browser Safari, has some special rules for > (non-preload) HSTS to mitigate HSTS super cookies. I’m sending over the > details in case you want to augment the HSTS specification. > > Basic rule: Only allow first parties to set HSTS. > > If it’s a response to a top frame load that has an HSTS header, it is > obviously the first party so that's automatically handled. If it’s a > response to a subresource request, it gets more interesting. > > As of our latest releases, we only allow the current first-party domain > and its eTLD+1 (formally public suffix + 1) to set HSTS in subresource > responses. > > Example: > > Say you have loaded a page from https://sub.domain.example.com. A > response to a subresource request on that page may set HSTS for: > > 1. sub.domain.example.com and > 2. example.com > > It may not set HSTS for: > > 1. some.sub.domain.example.com, > 2. domain.example.com, or > 3. other.org > > Kind regards, John Wilander > _______________________________________________ > websec mailing list > websec@ietf.org > https://www.ietf.org/mailman/listinfo/websec >
- [websec] Safari restrictions to HSTS John Wilander
- Re: [websec] Safari restrictions to HSTS Lucas Garron