W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2014

Re: Redirects and HSTS

From: =JeffH <Jeff.Hodges@KingsMountain.com>
Date: Fri, 26 Sep 2014 12:48:40 -0700
Message-ID: <5425C318.4050902@KingsMountain.com>
To: W3C Web App Security WG <public-webappsec@w3.org>
 > However, this is a secondary discussion to Anne's original point, AIUI.

agreed.

 > If I understand Anne's point, the question is: Can HSTS be used for
 > tracking? The answer is Yes,

yes.

 > and this is (briefly) discussed in Section
 > 14.9 of RFC 6797 ( http://tools.ietf.org/html/rfc6797#section-14.9 ),

thanks, I was about to point to that section. 8^)

Note that it was also briefly discussed on websec@ietf.org and section 14.9 
resolved that issue (sufficiently at the time we felt)..

[websec] #34: HSTS cache manipulation and misuse by server enabled by 
wildcard cert
http://www.ietf.org/mail-archive/web/websec/current/msg00977.html

#34: HSTS cache manipulation and misuse by server enabled by wildcard cert
http://trac.tools.ietf.org/wg/websec/trac/ticket/34

HTH,

=JeffH
Received on Friday, 26 September 2014 19:49:11 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:06 UTC