[websec] Re: RFC6797: Adding HSTS on an established/legacy domain in an enterprise
=JeffH <Jeff.Hodges@Kingsmountain.com> Fri, 21 March 2025 19:57 UTC
Return-Path: <jeff.hodges@kingsmountain.com>
X-Original-To: websec@mail2.ietf.org
Delivered-To: websec@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id A007010B3CDA for <websec@mail2.ietf.org>; Fri, 21 Mar 2025 12:57:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -0.449
X-Spam-Level:
X-Spam-Status: No, score=-0.449 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_BL_SPAMCOP_NET=1.347, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_SBL_A=0.1] autolearn=no autolearn_force=no
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 18DnP9IQvEH5 for <websec@mail2.ietf.org>; Fri, 21 Mar 2025 12:57:47 -0700 (PDT)
Received: from omta34.uswest2.a.cloudfilter.net (omta34.uswest2.a.cloudfilter.net [35.89.44.33]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id BC3DE10B3CD4 for <websec@ietf.org>; Fri, 21 Mar 2025 12:57:47 -0700 (PDT)
Received: from eig-obgw-5003a.ext.cloudfilter.net ([10.0.29.159]) by cmsmtp with ESMTPS id va6etJ9cGWuHKviV0tQEBO; Fri, 21 Mar 2025 19:57:46 +0000
Received: from box5261.bluehost.com ([162.241.225.117]) by cmsmtp with ESMTPS id viUztTRwAliBXviUzt3qb7; Fri, 21 Mar 2025 19:57:46 +0000
X-Authority-Analysis: v=2.4 cv=bOXdI++Z c=1 sm=1 tr=0 ts=67ddc4ba a=Qq/JosIIWik17RDiG6dwpA==:117 a=Qq/JosIIWik17RDiG6dwpA==:17 a=IkcTkHD0fZMA:10 a=Vs1iUdzkB0EA:10 a=kgoENrvEAAAA:8 a=A1X0JdhQAAAA:8 a=48vgC7mUAAAA:8 a=fllrwkGkzZcrL3RFv1oA:9 a=3ZKOabzyN94A:10 a=QEXdDO2ut3YA:10 a=zJqg23xH-iUt7vG5VXIX:22 a=eajzlRROTVn3UvYaCu8y:22
Received: from c-73-241-209-94.hsd1.ca.comcast.net ([73.241.209.94]:51818 helo=[10.0.0.189]) by box5261.bluehost.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.98.1) (envelope-from <Jeff.Hodges@Kingsmountain.com>) id 1tviUy-00000001eSs-49qs; Fri, 21 Mar 2025 13:57:45 -0600
Message-ID: <8efb38fd-e95f-4eae-a86d-f94974b09807@Kingsmountain.com>
Date: Fri, 21 Mar 2025 12:57:37 -0700
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Gunnar Guðvarðarson <gunnarg@thekking.is>, "collin.jackson@sv.cmu.edu" <collin.jackson@sv.cmu.edu>, "abarth@eecs.berkeley.edu" <abarth@eecs.berkeley.edu>
References: <AS8P193MB1302B6D1C3A32104AD8C694EB1C92@AS8P193MB1302.EURP193.PROD.OUTLOOK.COM>
Content-Language: en-US
From: =JeffH <Jeff.Hodges@Kingsmountain.com>
In-Reply-To: <AS8P193MB1302B6D1C3A32104AD8C694EB1C92@AS8P193MB1302.EURP193.PROD.OUTLOOK.COM>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - box5261.bluehost.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - Kingsmountain.com
X-BWhitelist: no
X-Source-IP: 73.241.209.94
X-Source-L: No
X-Exim-ID: 1tviUy-00000001eSs-49qs
X-Source:
X-Source-Args:
X-Source-Dir:
X-Source-Sender: c-73-241-209-94.hsd1.ca.comcast.net ([10.0.0.189]) [73.241.209.94]:51818
X-Source-Auth: jeff.hodges@kingsmountain.com
X-Email-Count: 1
X-Org: HG=bhshared;ORG=bluehost;
X-Source-Cap: a2luZ3Ntb3U7a2luZ3Ntb3U7Ym94NTI2MS5ibHVlaG9zdC5jb20=
X-Local-Domain: yes
X-CMAE-Envelope: MS4xfMHTZat+hZjQB37/cIj+03YliYSNpi9eLdSaqzjZwFXbb76wo9TOjjLjDFEGtrlIPLQsVuATTI+xkE+knqL+3cnlMCBX7UnvN/8VOJIx23NMll1HmcmM fvMSGyNT90XobnRuivuvm7iHRuoQlBlSkFpn50uEGWz1527g1t2iWiD7fc9RtYTC+j2eij+VxPkw3GL2wj+dOT3kaTlcsvrlDIk=
Message-ID-Hash: WZCKDOTYK4MLBEJ6WC4G627KEVWXF4AH
X-Message-ID-Hash: WZCKDOTYK4MLBEJ6WC4G627KEVWXF4AH
X-MailFrom: jeff.hodges@kingsmountain.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-websec.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "rfc6797@ietf.org" <rfc6797@ietf.org>, "scott@scotthelme.co.uk" <scott@scotthelme.co.uk>, "troy@troyhunt.com" <troy@troyhunt.com>, websec@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [websec] Re: RFC6797: Adding HSTS on an established/legacy domain in an enterprise
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/websec/xrO0B7LJp5xrCAKuwavF-wr6ZwM>
List-Archive: <https://mailarchive.ietf.org/arch/browse/websec>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Owner: <mailto:websec-owner@ietf.org>
List-Post: <mailto:websec@ietf.org>
List-Subscribe: <mailto:websec-join@ietf.org>
List-Unsubscribe: <mailto:websec-leave@ietf.org>
On 3/3/2025 9:15 AM, Gunnar Guðvarðarson wrote: > Hey, > > As you might well be aware, adding HSTS on an established, legacy domain in an enterprise is not popular, and most of the time blocked by legacy ... reasons. > > I would like to propose an addition to RFC6797, a "-Report-Only" header alternative to the existing header, that while it would not actually enforce HSTS, it would instead report potential failures of the HSTS policy to the configured NEL<https://w3c.github.io/network-error-logging/#secure-connection-establishment-errors>. Thanks for sharing your idea. However, I'm no longer active in the IETF and am not contributing to such work. (and rarely reading email at this address) Also, the "need" for HSTS is decreasing as browsers now support "HTTPS-first" behavior along with the mass adoption of HTTPS fostered by Lets Encrypt. (HSTS was/is a stopgap tool). Though, if you wish to pursue this, the way to do it is to propose it on the websec@ietf.org mailing list and write an internet-draft. I hope this helps, JeffH > > Examples: > report-to: {"group":"default","max_age":31536000,"endpoints":[{"url":"https://example.com/reports"}],"include_subdomains":true} > nel: {"report_to":"default","max_age":31536000,"include_subdomains":true,"failure_fraction":1.0} > > strict-transport-security-report-only: max-age=31536000; includesubdomains > Or > strict-transport-security-report-only: max-age=31536000; includesubdomains; report-to=default > > Or a mix of enforcement for apex and reporting for subdomains, strictest policy always wins, so if a subdomain already has HSTS enforced, use that. > strict-transport-security: max-age=31536000 > strict-transport-security-report-only: max-age=31536000; includesubdomains > > Applying this should be fearless, since nothing changes except reports are generated, and after running that for a few months or years, and fixing any reports, you can be confident when actually enabling HSTS enforcement. > > Kveðja / Regards, > Gunnar Guðvarðarson > Öryggissérfræðingur | Principal Security Engineer > Skilmálar / DisclaimerLagalegur fyrirvari tölvupósts / E-mail disclaimer