- From: Rob Sayre <sayrer@gmail.com>
- Date: Fri, 20 Sep 2019 14:18:53 -0700
- To: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
- Message-ID: <CAChr6Sxd8p3tOGBVFvrpnj3cUD23quvQHnwbz0RPoF+=13VhUw@mail.gmail.com>
Hi all, I was looking at the behavior of several popular websites in the context of HSTS and DNS hijacking[1]. It seems like these attacks rely on the relatively-benign security UI of clear-text HTTP pages, the fact that browsers will send HTTP traffic in the absence of HSTS information, and the fact that several popular sites still serve redirects to TLS URIs over port 80. That last part is particularly problematic, because a rogue DNS server can point at an address that will serve a malicious 200 response, and rewrite links on the served page. (I found several banks serving redirects from port 80...) I read the "opportunistic encryption" RFC[2], but the proposal in the subject line seems different. I had two ideas: 1) Start marking any domain that is one label + a tld as insecure if served over http. So, "foo.co.jp" would be marked as insecure over http, but " foo.bar.co.jp" would not. Obviously, this could be ratcheted up over time. 2) Allow domains to opt-in to HSTS out-of-band, like in software updates for an OS. This idea seems intriguing, because it would seem to improve security as participants join, unlike a TLS trusted-root store. Of course, other approaches, like DoH/DoT and DNSSEC, would attack this problem from a different angle. Also, I'm not sure if this group is the right place to propose this idea. thanks, Rob [1] https://www.ixiacom.com/company/blog/paypal-netflix-gmail-and-uber-users-among-targets-new-wave-dns-hijacking-attacks [2] https://tools.ietf.org/html/rfc8164
Received on Friday, 20 September 2019 21:19:29 UTC