- From: =JeffH <Jeff.Hodges@KingsMountain.com>
- Date: Fri, 26 Sep 2014 12:48:40 -0700
- To: W3C Web App Security WG <public-webappsec@w3.org>
> However, this is a secondary discussion to Anne's original point, AIUI. agreed. > If I understand Anne's point, the question is: Can HSTS be used for > tracking? The answer is Yes, yes. > and this is (briefly) discussed in Section > 14.9 of RFC 6797 ( http://tools.ietf.org/html/rfc6797#section-14.9 ), thanks, I was about to point to that section. 8^) Note that it was also briefly discussed on websec@ietf.org and section 14.9 resolved that issue (sufficiently at the time we felt).. [websec] #34: HSTS cache manipulation and misuse by server enabled by wildcard cert http://www.ietf.org/mail-archive/web/websec/current/msg00977.html #34: HSTS cache manipulation and misuse by server enabled by wildcard cert http://trac.tools.ietf.org/wg/websec/trac/ticket/34 HTH, =JeffH
Received on Friday, 26 September 2014 19:49:11 UTC