Re: HSTS Fingerprinting. from Jeff Hodges on 2019-10-07 (ietf-http-wg@w3.org from October to December 2019)

From: Jeff Hodges <jdhodges@google.com>
Date: Mon, 7 Oct 2019 16:46:56 -0700
To: Mike West <mkwst@google.com>
Cc: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>, John Wilander <wilander@apple.com>
Message-ID: <CAOt3QXtxbHCeuqS73XBZFQFbmZz-Q6k-tHDxpS9WODj7mw_1yA@mail.gmail.com>

[ just us ]

ah, ok, something to chat about on Wed -- ie, are you thinking a
monkey-patch of rfc6797 or an entire updated spec, or ...?



On Mon, Oct 7, 2019 at 4:48 AM Mike West <mkwst@google.com> wrote:

> Ok, thanks Mark. I'll aim to have an ID up by whenever the Singapore
> cutoff turns out to be.
>
> -mike
>
>
> On Thu, Oct 3, 2019 at 7:59 AM Mark Nottingham <mnot@mnot.net> wrote:
>
>> Hey Mike,
>>
>> I wouldn't treat the silence as indicative of disinterest.
>>
>> Would you be willing to write up a short draft explaining your proposal
>> and submit it for discussion in Singapore (presenting remotely if
>> necessary)? Even if you decide not to do it here, I suspect you'll be able
>> to reuse the markdown...
>>
>> Cheers,
>>
>>
>> > On 1 Oct 2019, at 11:47 pm, Mike West <mkwst@google.com> wrote:
>> >
>> > Ping!
>> >
>> > If this group doesn't feel any particular ownership, I'm happy to try
>> to define some web browsery behavior in W3C/WHATWG. If y'all would prefer
>> an RFC6797bis, great!
>> >
>> > -mike
>> >
>> >
>> > On Wed, Sep 18, 2019 at 3:10 AM Mike West <mkwst@google.com> wrote:
>> > A year or two ago, +John Wilander and others at Apple proposed some
>> changes to HSTS in
>> https://webkit.org/blog/8146/protecting-against-hsts-abuse/ that went
>> some way towards mitigating the abuses documented in Section 14.9 of
>> RFC6797. Given some shifts in the way we're thinking about some other
>> concepts, I've written up a short proposal at
>> https://github.com/mikewest/strict-navigation-security that builds upon
>> and simplifies Apple's proposal. We discussed it briefly at yesterday's
>> webappsec meeting, and there seems to be interest in doing something in
>> this space.
>> >
>> > +Mark Nottingham and +Jeff Hodges suggested that I loop this group into
>> that conversation, as the original websec group has disbanded. Is it a
>> topic this group would like to pick up? If not, would y'all be comfortable
>> with us defining some web browser behavior/Fetch integration in webappsec
>> that constrains the existing RFC?
>> >
>> > Thanks!
>> >
>> > -mike
>>
>> --
>> Mark Nottingham   https://www.mnot.net/
>>
>>

-- 
Thanks, HTH,

=JeffH

Received on Monday, 7 October 2019 23:47:46 UTC