Re: HSTS Fingerprinting. from Mike West on 2019-10-01 (ietf-http-wg@w3.org from October to December 2019)

From: Mike West <mkwst@google.com>
Date: Tue, 1 Oct 2019 15:47:53 +0200
To: HTTP Working Group <ietf-http-wg@w3.org>
Cc: Mark Nottingham <mnot@mnot.net>, John Wilander <wilander@apple.com>, Jeff Hodges <jdhodges@google.com>
Message-ID: <CAKXHy=cTSHvkt1Tj6imt2=2begaO-RXcioj-8xiu=zi0-KjU0g@mail.gmail.com>

Ping!

If this group doesn't feel any particular ownership, I'm happy to try to
define some web browsery behavior in W3C/WHATWG. If y'all would prefer an
RFC6797bis, great!

-mike


On Wed, Sep 18, 2019 at 3:10 AM Mike West <mkwst@google.com> wrote:

> A year or two ago, +John Wilander <wilander@apple.com> and others at
> Apple proposed some changes to HSTS in
> https://webkit.org/blog/8146/protecting-against-hsts-abuse/ that went
> some way towards mitigating the abuses documented in Section 14.9 of
> RFC6797 <https://tools.ietf.org/html/rfc6797#section-14.9>. Given some
> shifts in the way we're thinking about some other concepts, I've written up
> a short proposal at https://github.com/mikewest/strict-navigation-security that
> builds upon and simplifies Apple's proposal. We discussed it briefly at
> yesterday's webappsec meeting
> <https://github.com/w3c/webappsec/blob/master/meetings/2019/2019-09-TPAC-minutes.md#hsts-fingerprinting>,
> and there seems to be interest in doing something in this space.
>
> +Mark Nottingham <mnot@mnot.net> and +Jeff Hodges <jdhodges@google.com> suggested
> that I loop this group into that conversation, as the original websec group
> has disbanded. Is it a topic this group would like to pick up? If not,
> would y'all be comfortable with us defining some web browser behavior/Fetch
> integration in webappsec that constrains the existing RFC?
>
> Thanks!
>
> -mike
>

Received on Tuesday, 1 October 2019 13:48:29 UTC