[websec] HSTS Hole Punching
tav <tav@espians.com> Tue, 15 January 2013 22:57 UTC
Return-Path: <tav@espians.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D85D21F85D0 for <websec@ietfa.amsl.com>; Tue, 15 Jan 2013 14:57:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.977
X-Spam-Level:
X-Spam-Status: No, score=-2.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c22X8oYJZV7L for <websec@ietfa.amsl.com>; Tue, 15 Jan 2013 14:57:37 -0800 (PST)
Received: from mail-ie0-f170.google.com (mail-ie0-f170.google.com [209.85.223.170]) by ietfa.amsl.com (Postfix) with ESMTP id D84BF21F85CE for <websec@ietf.org>; Tue, 15 Jan 2013 14:57:36 -0800 (PST)
Received: by mail-ie0-f170.google.com with SMTP id k10so1305058iea.1 for <websec@ietf.org>; Tue, 15 Jan 2013 14:57:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=espians.com; s=google; h=mime-version:x-received:date:message-id:subject:from:to :content-type; bh=wlF7GitUxjrmnYUoN2dnD6NfriLg3tkoyvTRNP7hnLk=; b=ZvrANKO83ILRoEIVxEZZd96dboZxqevR+GSmUFkHb4pah3Le3bditLjGgPcJxGKOVL MGXlxCmUgBMGRktOjhgN9Jo/lAGk2sdzg8gs6OBv6vImp9YpvQDoY4N0gJzfX2ue2wHX G4ehp8Yjiliu12r/N0983m7wtII1VphwuUJxU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:date:message-id:subject:from:to :content-type:x-gm-message-state; bh=wlF7GitUxjrmnYUoN2dnD6NfriLg3tkoyvTRNP7hnLk=; b=fyFYa8J6CHGLI4T80wTP4GOrIQ0Kf6ageHESV4ULjxL14IIl2I+9T9L6WXiRDepCeE vzigsR40nrzt9bEuJtyQeBhMbNktR2d0Sk9Xoihm2rNVuOw9dpuMgOvZY4sbkVI+X7eq ATk4iEkLi8FlAkarF5YV3voLkaCHT4wO8fBsFGL/AdHTymeAkM58tp81XUHMASsvo7O2 JgzKzyVISNjfmz9mlkF7snVr8Ymvgws+s5bljZVxmIRjwm6z4l5AMhS8JKNiCscXUBs/ QoIAfcLnR/yrSQqAp0oZiMLbvN8vi6tZLICCJLPWxyh37Xw8HMabYfyiAfd4+PiLdEdP 98Tg==
MIME-Version: 1.0
X-Received: by 10.50.212.3 with SMTP id ng3mr3098161igc.104.1358290656369; Tue, 15 Jan 2013 14:57:36 -0800 (PST)
Received: by 10.64.46.130 with HTTP; Tue, 15 Jan 2013 14:57:36 -0800 (PST)
Date: Tue, 15 Jan 2013 22:57:36 +0000
Message-ID: <CAJThFW4vBWUEA3ZC1FQ25vdJC95cFgsFs2Z=6rAJNdfUWowJ8w@mail.gmail.com>
From: tav <tav@espians.com>
To: websec@ietf.org
Content-Type: text/plain; charset="UTF-8"
X-Gm-Message-State: ALoCoQl4boqa/W8nq/750EDwxevYe0eSdu4L8eCQIsTiL05Ay67+0P11YB/90UTuwRn9N6x8luhA
Subject: [websec] HSTS Hole Punching
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Jan 2013 22:58:17 -0000
Hi there, I realise that this proposal might be rather late in the process, but would it be possible to add a list of excluded subdomains in the STS header? My use case is that I am setting up a new service which has the STS header set so that users might have a more secure experience. However, for the purposes of sending referrer path information to non-HTTPS sites, I have one subdomain which does redirects over plain HTTP, e.g. http://from.espra.com/some/referrer/path. In an ideal world, I would be able to set a comprehensive STS header which excluded just that one subdomain, e.g. Strict-Transport-Security: max-age=31536000; includeSubDomains; exclude=from.espra.com And since having an exclude implicitly suggests includeSubdomains, it could be shortened to just: Strict-Transport-Security: max-age=31536000; exclude=from.espra.com There are, of course, alternative solutions, e.g. using another domain for the HTTP redirect or setting STS on individual subdomains without specifying includeSubdomains. But this seems like it would be a more elegant and secure solution. Thank you for your time! -- All the best, tav plex:espians/tav | tav@espians.com | +44 (0) 7809 569 369 http://tav.espians.com | http://twitter.com/tav | skype:tavespian