- From: Dennis Olvany <dennisolvany@gmail.com>
- Date: Sun, 22 May 2016 14:13:35 +0000
- To: Philipp Junghannß <teamhydro55555@gmail.com>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
Received on Sunday, 22 May 2016 14:14:13 UTC
I suppose third-party HSTS may be a good way to describe the scenario I propose. To be more clear, let's say that the https server is provided by a web hosting company and their customer is the domain owner. On Sun, May 22, 2016 at 10:03 AM Philipp Junghannß <teamhydro55555@gmail.com> wrote: > Talking about hsts misuse we should not forget the so-called hsts > supercookies, which obviously makes no sense from a technical perspective > but the point that hsts can be used for tracking still stands. > What to do about that? > > Unlike cookies, hsts cannot be easily purged by the user. > Am 22.05.2016 15:51 schrieb "Dennis Olvany" <dennisolvany@gmail.com>: > >> There is a section in the RFC that addresses DoS, but I am interested in >> a particular case. Let's posit that a domain owner directs their domain to >> an https server that returns an HSTS header without the domain owner's >> knowledge or consent. If the domain owner then directs their domain to an >> http server, the site will be unreachable from browsers that are caching >> HSTS. Has there been any discussion or guidance regarding this scenario? >> When is the implementation of HSTS considered to be inappropriate? >> >
Received on Sunday, 22 May 2016 14:14:13 UTC