Re: NTP vs. HSTS from Adam Langley on 2014-10-17 (public-webappsec@w3.org from October 2014)

From: Adam Langley <agl@google.com>
Date: Thu, 16 Oct 2014 18:43:46 -0700
To: "=JeffH" <Jeff.Hodges@kingsmountain.com>
Cc: W3C Web App Security WG <public-webappsec@w3.org>
Message-ID: <CAL9PXLxdLsHj1WZAtNuZ_Azv2ZdOyfpnu3Dv+da7trNW6g7qQQ@mail.gmail.com>

On Thu, Oct 16, 2014 at 6:26 PM, =JeffH <Jeff.Hodges@kingsmountain.com> wrote:
> Does the HSTS preload entry timeout occur only if the UA hasn't noted an
> HSTS policy emitted from that HSTS host prior to the timeout expiry? (do you
> have a pointer to the code, I'm curious...)

If dynamic state applies then the fact that the static HSTS entries
have timed out is immaterial:

https://code.google.com/p/chromium/codesearch#chromium/src/net/http/transport_security_state.cc&sq=package:chromium&rcl=1413420779&l=110

The timeout was so that entries could be removed from the list, yes. I
could change that but lots of things go wrong if the clock is wrong. A
better answer is to fix the clock and it would be very nice if OSes
would do that.

Cheers

AGL

Received on Friday, 17 October 2014 01:44:33 UTC