Re: [websec] HSTS and subdomains

=JeffH <Jeff.Hodges@KingsMountain.com> Tue, 16 September 2014 21:08 UTC

Return-Path: <Jeff.Hodges@kingsmountain.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 567261A03A3 for <websec@ietfa.amsl.com>; Tue, 16 Sep 2014 14:08:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.803
X-Spam-Level: *
X-Spam-Status: No, score=1.803 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_SORBS_WEB=0.77, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I1p3QcHs3f9h for <websec@ietfa.amsl.com>; Tue, 16 Sep 2014 14:08:49 -0700 (PDT)
Received: from gproxy5-pub.mail.unifiedlayer.com (gproxy5-pub.mail.unifiedlayer.com [67.222.38.55]) by ietfa.amsl.com (Postfix) with SMTP id 0C2601A03AF for <websec@ietf.org>; Tue, 16 Sep 2014 14:08:48 -0700 (PDT)
Received: (qmail 2306 invoked by uid 0); 16 Sep 2014 21:08:46 -0000
Received: from unknown (HELO cmgw2) (10.0.90.83) by gproxy5.mail.unifiedlayer.com with SMTP; 16 Sep 2014 21:08:46 -0000
Received: from box514.bluehost.com ([74.220.219.114]) by cmgw2 with id rx8e1o00e2UhLwi01x8heM; Tue, 16 Sep 2014 15:08:45 -0600
X-Authority-Analysis: v=2.1 cv=e5mVF8Z/ c=1 sm=1 tr=0 a=9W6Fsu4pMcyimqnCr1W0/w==:117 a=9W6Fsu4pMcyimqnCr1W0/w==:17 a=cNaOj0WVAAAA:8 a=f5113yIGAAAA:8 a=-KpzFdj539cA:10 a=S2JtE8X_p4UA:10 a=3NT3xRclEPMA:10 a=IkcTkHD0fZMA:10 a=ieNpE_y6AAAA:8 a=XYUc-DgfXtMA:10 a=vS7MmSmxvPQA:10 a=A1X0JdhQAAAA:8 a=48vgC7mUAAAA:8 a=TVMCqI-tnDLech9wEIMA:9 a=QEXdDO2ut3YA:10 a=e1i35A98MB8A:10 a=4rq7TwIXcRUA:10 a=Y6qChIQXU1wA:10
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=kingsmountain.com; s=default; h=Content-Transfer-Encoding:Content-Type:Subject:CC:To:MIME-Version:From:Date:Message-ID; bh=85bb8X96BpsmGzZ24tycqzwF19n3TV4/4vmUpJIDWbY=; b=K+fEsIUvkeN7V0RctC28+iePAJWRnonua1TCa6KbzWOFdkH0CFHbE1rK6J5cB/XxR/YgUKmcOZEDly7YoHqUd51aHfUiUesl14EwE6QPmnMxvsSmXFrUhhlL3xEz1ygZ;
Received: from [216.113.168.128] (port=30646 helo=[10.244.137.98]) by box514.bluehost.com with esmtpsa (TLSv1.2:DHE-RSA-AES128-SHA:128) (Exim 4.82) (envelope-from <Jeff.Hodges@KingsMountain.com>) id 1XTzzL-0005AI-Dz; Tue, 16 Sep 2014 15:08:39 -0600
Message-ID: <5418A6D5.50705@KingsMountain.com>
Date: Tue, 16 Sep 2014 14:08:37 -0700
From: =JeffH <Jeff.Hodges@KingsMountain.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.0
MIME-Version: 1.0
To: Anne van Kesteren <annevk@annevk.nl>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 216.113.168.128 authed with jeff.hodges+kingsmountain.com}
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/zLp6iQ-ap_PupiZDhQiLT2NpkpI
Cc: Ian Hickson <ian@hixie.ch>, websec <websec@ietf.org>
Subject: Re: [websec] HSTS and subdomains
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Sep 2014 21:08:50 -0000

 > If example.com serves up a policy with includeSubdomains. And
 > sub.example.com serves up a policy without includeSubdomains,
 > max-age=0, and redirects to http://sub.example.com.
 >
 > I first visit example.com. And then I visit sub.example.com. What
 > happens and where is this defined?

Ok, good question, I'll try to tease this apart a bit...


1. "load" of https://example.com yields, say,..

   Strict-Transport-Security: max-age=31536000; includeSubdomains

note: receipt of the above HSTS Policy denotes example.com as an Known HSTS 
Host (with includeSubdomains asserted) if it was not already so noted [1].


2. if a subsequent "load" of https://sub.example.com [0] (sub.example.com is 
not as yet noted as an HSTS Host) yields..

   Strict-Transport-Security: max-age=0
   Location: http://sub.example.com


..then, this newly-asserted HSTS Policy (for sub.example.com) ought to be 
"noted" per the HSTS storage model [2] since its domain name is not a 
"congruent match" for "example.com" [3] -- but it is declaring a max-age of 
zero, which would imply not noting it due to the NOTE in [5].

Regardless, due to the "URI Loading and Port Mapping" algorithm [4], 
example.com's HSTS Policy will override sub.example.com's declared policy 
(if it is noted by some errant UA). Thus the subsequent load of the 
Location-specified resource ("the redirect") will have it's URI scheme 
translated to "https" per [4], and the redirect will be essentially idempotent.

This will continue to be the situation until and if example.com rescinds 
it's assertion of includeSubdomains or it's entire HSTS Policy. I.e., 
sub.example.com may declare an HSTS Policy, and it will be duly noted by 
UAs, but it will be overruled by example.com's policy (until the latter is 
altered per the foregoing).

This situation is implicated in the discussions in [6], but not explicitly 
explained.

If anyone finds bug(s) in this analysis, please raise them.

HTH,

=JeffH


[0] or of http://sub.example.com which will become https://sub.example.com 
per [4] due to the HSTS Policy established above.

[1] Strict-Transport-Security Response Header Field Processing
     https://tools.ietf.org/html/rfc6797#section-8.1

[2] Noting an HSTS Host - Storage Model
     https://tools.ietf.org/html/rfc6797#section-8.1.1

[3] Known HSTS Host Domain Name Matching
     https://tools.ietf.org/html/rfc6797#section-8.2

[4] URI Loading and Port Mapping
     https://tools.ietf.org/html/rfc6797#section-8.3

[5] The max-age Directive
     https://tools.ietf.org/html/rfc6797#section-6.1.1

[6] Implications of includeSubDomains
     https://tools.ietf.org/html/rfc6797#section-11.4

end