HSTS Misuse from Dennis Olvany on 2016-05-22 (ietf-http-wg@w3.org from April to June 2016)

From: Dennis Olvany <dennisolvany@gmail.com>
Date: Sun, 22 May 2016 13:45:10 +0000
To: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <CAATNdDzB=Dgtqmyj5mB_VE24kvi9Nqt-6f2tdL0fJsZS0HypNQ@mail.gmail.com>

There is a section in the RFC that addresses DoS, but I am interested in a
particular case. Let's posit that a domain owner directs their domain to an
https server that returns an HSTS header without the domain owner's
knowledge or consent. If the domain owner then directs their domain to an
http server, the site will be unreachable from browsers that are caching
HSTS. Has there been any discussion or guidance regarding this scenario?
When is the implementation of HSTS considered to be inappropriate?

Received on Sunday, 22 May 2016 13:45:47 UTC