Re: Redirects and HSTS from =JeffH on 2014-09-26 (public-webappsec@w3.org from September 2014)

From: =JeffH <Jeff.Hodges@KingsMountain.com>
Date: Fri, 26 Sep 2014 14:09:34 -0700
To: W3C Web App Security WG <public-webappsec@w3.org>
Message-ID: <5425D60E.9040508@KingsMountain.com>

 > On Fri, Sep 26, 2014 at 1:09 PM, Anne van Kesteren <annevk@annevk.nl> wrote:
 >
 >> On Fri, Sep 26, 2014 at 10:07 PM, Anne van Kesteren <annevk@annevk.nl>
 >> wrote:
 >> > That does seem to cover it, although the first sentence makes it sound
 >> > more difficult than it really is.
 >>
 >> However, could this attack be avoided if we never applied HSTS to
 >> resources loaded from a document on a different origin?
 >>
 >>
 >> --
 >> https://annevankesteren.nl/
 >>
 >
 > Maybe. Not for HPKP though (the security benefit is also realized through
 > inter-origin protections).
 >
 > For HSTS, the question is "Could a MITM attacker gain access to the data
 > otherwise"
 >
 > - Source document HTTP, target document HTTP+HSTS
 >   - The attacker can inject script into the source document. However, CORS
 > should prevent the attacker's script from getting access to the target
 > document data (if used correctly).
 >   - The attacker cannot sslstrip the target document, because HSTS
 > - Source document HTTPS, target document HTTP+HSTS
 >   - both Firefox and Chrome will trigger mixed content blocking on this
 > today
 >   - If MCB is bypassed, the load is STILL over HTTPS, thus the above
 > applies for the HTTP+HTTP case
 >
 > If we took away the +HSTS part
 > - Source document HTTP, target document HTTP
 >   - The attacker can read the target document on the wire
 > - Source document HTTPS, target document HTTP
 >   - Mixed content blocking triggers
 >   - If the user bypasses MCB, the attacker can read the target document on
 > the wire
 >
 > Seems like a net-negative for security if we did.

agreed.

Also, it would just plain alter the semantics of the HSTS policy as 
presently specified. the policy is "only talk to me (the HSTS Host declaring 
this policy) over secure transport. period. thanks."


plus, as AdamB noted in that old thread on this topic (hsts issue #34)...

"Why not just postMessage of the HTML <form> element?  If you want be
more sneaky about it, you can just the HTTP cache.  Anyway, web sites
are allowed to send messages to each other."
http://www.ietf.org/mail-archive/web/websec/current/msg00979.html


HTH,

=JeffH

Received on Friday, 26 September 2014 21:10:08 UTC