Re: HSTS Misuse

I suppose third-party HSTS may be a good way to describe the scenario I
propose. To be more clear, let's say that the https server is provided by a
web hosting company and their customer is the domain owner.
On Sun, May 22, 2016 at 10:03 AM Philipp Junghannß <>

> Talking about hsts misuse we should not forget the so-called hsts
> supercookies, which obviously makes no sense from a technical perspective
> but the point that hsts can be used for tracking still stands.
> What to do about that?
> Unlike cookies, hsts cannot be easily purged by the user.
> Am 22.05.2016 15:51 schrieb "Dennis Olvany" <>:
>> There is a section in the RFC that addresses DoS, but I am interested in
>> a particular case. Let's posit that a domain owner directs their domain to
>> an https server that returns an HSTS header without the domain owner's
>> knowledge or consent. If the domain owner then directs their domain to an
>> http server, the site will be unreachable from browsers that are caching
>> HSTS. Has there been any discussion or guidance regarding this scenario?
>> When is the implementation of HSTS considered to be inappropriate?

Received on Sunday, 22 May 2016 14:14:13 UTC