Re: [websec] HSTS and subdomains

=JeffH <> Tue, 16 September 2014 21:08 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 567261A03A3 for <>; Tue, 16 Sep 2014 14:08:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 1.803
X-Spam-Level: *
X-Spam-Status: No, score=1.803 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_SORBS_WEB=0.77, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id I1p3QcHs3f9h for <>; Tue, 16 Sep 2014 14:08:49 -0700 (PDT)
Received: from ( []) by (Postfix) with SMTP id 0C2601A03AF for <>; Tue, 16 Sep 2014 14:08:48 -0700 (PDT)
Received: (qmail 2306 invoked by uid 0); 16 Sep 2014 21:08:46 -0000
Received: from unknown (HELO cmgw2) ( by with SMTP; 16 Sep 2014 21:08:46 -0000
Received: from ([]) by cmgw2 with id rx8e1o00e2UhLwi01x8heM; Tue, 16 Sep 2014 15:08:45 -0600
X-Authority-Analysis: v=2.1 cv=e5mVF8Z/ c=1 sm=1 tr=0 a=9W6Fsu4pMcyimqnCr1W0/w==:117 a=9W6Fsu4pMcyimqnCr1W0/w==:17 a=cNaOj0WVAAAA:8 a=f5113yIGAAAA:8 a=-KpzFdj539cA:10 a=S2JtE8X_p4UA:10 a=3NT3xRclEPMA:10 a=IkcTkHD0fZMA:10 a=ieNpE_y6AAAA:8 a=XYUc-DgfXtMA:10 a=vS7MmSmxvPQA:10 a=A1X0JdhQAAAA:8 a=48vgC7mUAAAA:8 a=TVMCqI-tnDLech9wEIMA:9 a=QEXdDO2ut3YA:10 a=e1i35A98MB8A:10 a=4rq7TwIXcRUA:10 a=Y6qChIQXU1wA:10
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;; s=default; h=Content-Transfer-Encoding:Content-Type:Subject:CC:To:MIME-Version:From:Date:Message-ID; bh=85bb8X96BpsmGzZ24tycqzwF19n3TV4/4vmUpJIDWbY=; b=K+fEsIUvkeN7V0RctC28+iePAJWRnonua1TCa6KbzWOFdkH0CFHbE1rK6J5cB/XxR/YgUKmcOZEDly7YoHqUd51aHfUiUesl14EwE6QPmnMxvsSmXFrUhhlL3xEz1ygZ;
Received: from [] (port=30646 helo=[]) by with esmtpsa (TLSv1.2:DHE-RSA-AES128-SHA:128) (Exim 4.82) (envelope-from <>) id 1XTzzL-0005AI-Dz; Tue, 16 Sep 2014 15:08:39 -0600
Message-ID: <>
Date: Tue, 16 Sep 2014 14:08:37 -0700
From: =JeffH <>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.0
MIME-Version: 1.0
To: Anne van Kesteren <>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Identified-User: {} {sentby:smtp auth authed with}
Cc: Ian Hickson <>, websec <>
Subject: Re: [websec] HSTS and subdomains
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 16 Sep 2014 21:08:50 -0000

 > If serves up a policy with includeSubdomains. And
 > serves up a policy without includeSubdomains,
 > max-age=0, and redirects to
 > I first visit And then I visit What
 > happens and where is this defined?

Ok, good question, I'll try to tease this apart a bit...

1. "load" of yields, say,..

   Strict-Transport-Security: max-age=31536000; includeSubdomains

note: receipt of the above HSTS Policy denotes as an Known HSTS 
Host (with includeSubdomains asserted) if it was not already so noted [1].

2. if a subsequent "load" of [0] ( is 
not as yet noted as an HSTS Host) yields..

   Strict-Transport-Security: max-age=0

..then, this newly-asserted HSTS Policy (for ought to be 
"noted" per the HSTS storage model [2] since its domain name is not a 
"congruent match" for "" [3] -- but it is declaring a max-age of 
zero, which would imply not noting it due to the NOTE in [5].

Regardless, due to the "URI Loading and Port Mapping" algorithm [4],'s HSTS Policy will override's declared policy 
(if it is noted by some errant UA). Thus the subsequent load of the 
Location-specified resource ("the redirect") will have it's URI scheme 
translated to "https" per [4], and the redirect will be essentially idempotent.

This will continue to be the situation until and if rescinds 
it's assertion of includeSubdomains or it's entire HSTS Policy. I.e., may declare an HSTS Policy, and it will be duly noted by 
UAs, but it will be overruled by's policy (until the latter is 
altered per the foregoing).

This situation is implicated in the discussions in [6], but not explicitly 

If anyone finds bug(s) in this analysis, please raise them.



[0] or of which will become 
per [4] due to the HSTS Policy established above.

[1] Strict-Transport-Security Response Header Field Processing

[2] Noting an HSTS Host - Storage Model

[3] Known HSTS Host Domain Name Matching

[4] URI Loading and Port Mapping

[5] The max-age Directive

[6] Implications of includeSubDomains