W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2009

Re: fyi: Strict Transport Security specification

From: Adam Barth <w3c@adambarth.com>
Date: Sat, 19 Sep 2009 07:49:20 -0700
Message-ID: <7789133a0909190749p63130fd3p94f0191e9ffe0977@mail.gmail.com>
To: Jonas Sicking <jonas@sicking.cc>
Cc: "=JeffH" <Jeff.Hodges@kingsmountain.com>, public-webapps@w3.org, Jeff Hodges <jeff.hodges@paypal.com>, Collin Jackson <collin.jackson@sv.cmu.edu>
On Sat, Sep 19, 2009 at 1:46 AM, Jonas Sicking <jonas@sicking.cc> wrote:
> (am I understanding it correctly that http requests can't opt in to STS?)

Well, they opt in by redirecting to HTTPS and then sending the header
over HTTPS.  :)

One virtue of your algorithm is that there are no extra requests in
the common cases.  For example, if the site does everything over
HTTPS, then we never have to confirm the STS directive.  Also, if the
user enters the site by typing "example.com" in the location bar, then
we also won't make any extra requests because the first HTTPS URL
we'll see is "/" anyway.

The only potentially tricky situation is that, when we look for
confirmation, we need to be prepared to deal with an attacker who
blocks that requests (because we're now in an attack scenario), but I
think we can deal with that by stalling the HTTP request while we wait
for confirmation.

Received on Saturday, 19 September 2009 14:51:17 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:18 UTC