W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2014

Re: Redirects and HSTS

From: Ryan Sleevi <sleevi@google.com>
Date: Fri, 26 Sep 2014 13:40:39 -0700
Message-ID: <CACvaWvbkt3vJJS0oYGqkOOxq=aM9nMF-ujTiffB9upR43BDDRQ@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Mike West <mkwst@google.com>, Tanvi Vyas <tanvi@mozilla.com>, WebAppSec WG <public-webappsec@w3.org>
On Fri, Sep 26, 2014 at 1:09 PM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Fri, Sep 26, 2014 at 10:07 PM, Anne van Kesteren <annevk@annevk.nl>
> wrote:
> > That does seem to cover it, although the first sentence makes it sound
> > more difficult than it really is.
>
> However, could this attack be avoided if we never applied HSTS to
> resources loaded from a document on a different origin?
>
>
> --
> https://annevankesteren.nl/
>

Maybe. Not for HPKP though (the security benefit is also realized through
inter-origin protections).

For HSTS, the question is "Could a MITM attacker gain access to the data
otherwise"

- Source document HTTP, target document HTTP+HSTS
  - The attacker can inject script into the source document. However, CORS
should prevent the attacker's script from getting access to the target
document data (if used correctly).
  - The attacker cannot sslstrip the target document, because HSTS
- Source document HTTPS, target document HTTP+HSTS
  - both Firefox and Chrome will trigger mixed content blocking on this
today
  - If MCB is bypassed, the load is STILL over HTTPS, thus the above
applies for the HTTP+HTTP case

If we took away the +HSTS part
- Source document HTTP, target document HTTP
  - The attacker can read the target document on the wire
- Source document HTTPS, target document HTTP
  - Mixed content blocking triggers
  - If the user bypasses MCB, the attacker can read the target document on
the wire

Seems like a net-negative for security if we did.
Received on Friday, 26 September 2014 20:47:27 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:06 UTC