[websec] HSTS Hole Punching

tav <tav@espians.com> Tue, 15 January 2013 22:57 UTC

Return-Path: <tav@espians.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D85D21F85D0 for <websec@ietfa.amsl.com>; Tue, 15 Jan 2013 14:57:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.977
X-Spam-Level:
X-Spam-Status: No, score=-2.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c22X8oYJZV7L for <websec@ietfa.amsl.com>; Tue, 15 Jan 2013 14:57:37 -0800 (PST)
Received: from mail-ie0-f170.google.com (mail-ie0-f170.google.com [209.85.223.170]) by ietfa.amsl.com (Postfix) with ESMTP id D84BF21F85CE for <websec@ietf.org>; Tue, 15 Jan 2013 14:57:36 -0800 (PST)
Received: by mail-ie0-f170.google.com with SMTP id k10so1305058iea.1 for <websec@ietf.org>; Tue, 15 Jan 2013 14:57:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=espians.com; s=google; h=mime-version:x-received:date:message-id:subject:from:to :content-type; bh=wlF7GitUxjrmnYUoN2dnD6NfriLg3tkoyvTRNP7hnLk=; b=ZvrANKO83ILRoEIVxEZZd96dboZxqevR+GSmUFkHb4pah3Le3bditLjGgPcJxGKOVL MGXlxCmUgBMGRktOjhgN9Jo/lAGk2sdzg8gs6OBv6vImp9YpvQDoY4N0gJzfX2ue2wHX G4ehp8Yjiliu12r/N0983m7wtII1VphwuUJxU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:date:message-id:subject:from:to :content-type:x-gm-message-state; bh=wlF7GitUxjrmnYUoN2dnD6NfriLg3tkoyvTRNP7hnLk=; b=fyFYa8J6CHGLI4T80wTP4GOrIQ0Kf6ageHESV4ULjxL14IIl2I+9T9L6WXiRDepCeE vzigsR40nrzt9bEuJtyQeBhMbNktR2d0Sk9Xoihm2rNVuOw9dpuMgOvZY4sbkVI+X7eq ATk4iEkLi8FlAkarF5YV3voLkaCHT4wO8fBsFGL/AdHTymeAkM58tp81XUHMASsvo7O2 JgzKzyVISNjfmz9mlkF7snVr8Ymvgws+s5bljZVxmIRjwm6z4l5AMhS8JKNiCscXUBs/ QoIAfcLnR/yrSQqAp0oZiMLbvN8vi6tZLICCJLPWxyh37Xw8HMabYfyiAfd4+PiLdEdP 98Tg==
MIME-Version: 1.0
X-Received: by 10.50.212.3 with SMTP id ng3mr3098161igc.104.1358290656369; Tue, 15 Jan 2013 14:57:36 -0800 (PST)
Received: by 10.64.46.130 with HTTP; Tue, 15 Jan 2013 14:57:36 -0800 (PST)
Date: Tue, 15 Jan 2013 22:57:36 +0000
Message-ID: <CAJThFW4vBWUEA3ZC1FQ25vdJC95cFgsFs2Z=6rAJNdfUWowJ8w@mail.gmail.com>
From: tav <tav@espians.com>
To: websec@ietf.org
Content-Type: text/plain; charset=UTF-8
X-Gm-Message-State: ALoCoQl4boqa/W8nq/750EDwxevYe0eSdu4L8eCQIsTiL05Ay67+0P11YB/90UTuwRn9N6x8luhA
Subject: [websec] HSTS Hole Punching
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Jan 2013 22:58:17 -0000

Hi there,

I realise that this proposal might be rather late in the process, but
would it be possible to add a list of excluded subdomains in the STS
header?

My use case is that I am setting up a new service which has the STS
header set so that users might have a more secure experience. However,
for the purposes of sending referrer path information to non-HTTPS
sites, I have one subdomain which does redirects over plain HTTP, e.g.
http://from.espra.com/some/referrer/path.

In an ideal world, I would be able to set a comprehensive STS header
which excluded just that one subdomain, e.g.

  Strict-Transport-Security: max-age=31536000; includeSubDomains;
exclude=from.espra.com

And since having an exclude implicitly suggests includeSubdomains, it
could be shortened to just:

  Strict-Transport-Security: max-age=31536000; exclude=from.espra.com

There are, of course, alternative solutions, e.g. using another domain
for the HTTP redirect or setting STS on individual subdomains without
specifying includeSubdomains. But this seems like it would be a more
elegant and secure solution.

Thank you for your time!

-- 
All the best, tav

plex:espians/tav | tav@espians.com | +44 (0) 7809 569 369
http://tav.espians.com | http://twitter.com/tav | skype:tavespian