Re: HSTS Misuse from Philipp Junghannß on 2016-05-22 (ietf-http-wg@w3.org from April to June 2016)

From: Philipp Junghannß <teamhydro55555@gmail.com>
Date: Sun, 22 May 2016 16:03:12 +0200
To: Dennis Olvany <dennisolvany@gmail.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CACHSkNpx31zci8Kxv7LS85OJoJfuzC-hZx1RMzoiQ9-v4S=ObQ@mail.gmail.com>

Talking about hsts misuse we should not forget the so-called hsts
supercookies, which obviously makes no sense from a technical perspective
but the point that hsts can be used for tracking still stands.
What to do about that?

Unlike cookies, hsts cannot be easily purged by the user.
Am 22.05.2016 15:51 schrieb "Dennis Olvany" <dennisolvany@gmail.com>:

> There is a section in the RFC that addresses DoS, but I am interested in a
> particular case. Let's posit that a domain owner directs their domain to an
> https server that returns an HSTS header without the domain owner's
> knowledge or consent. If the domain owner then directs their domain to an
> http server, the site will be unreachable from browsers that are caching
> HSTS. Has there been any discussion or guidance regarding this scenario?
> When is the implementation of HSTS considered to be inappropriate?
>

Received on Sunday, 22 May 2016 14:03:41 UTC