Re: HSTS priming vs preloading from Richard Barnes on 2016-02-01 (public-webappsec@w3.org from February 2016)

From: Richard Barnes <rbarnes@mozilla.com>
Date: Mon, 1 Feb 2016 15:56:50 -0500
To: Ben Wilson <ben.wilson@digicert.com>
Cc: Jim Manico <jim.manico@owasp.org>, Eric Mill <eric@konklone.com>, Mike West <mkwst@google.com>, Jim Manico <jim@manicode.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAOAcki_2of34aisF6eJXVvXHvdtk6T3wa13ygjbJxp=Bk1-f8A@mail.gmail.com>

On Mon, Feb 1, 2016 at 3:50 PM, Ben Wilson <ben.wilson@digicert.com> wrote:

> Excuse my ignorance, but does this mean that there is consensus that
> preloading HSTS should occur before checking for mixed content?
>

I'll assume that by "preloading HSTS", you mean "HSTS upgrades".  In that
case, I wouldn't say there's consensus yet, but that's where we're trying
to get.



> Also, I’m assuming that this discussion is related to the proposal found
> here - https://www.w3.org/TR/upgrade-insecure-requests/.
>
>
This is the better one.  Still very much at draft stage:

https://mikewest.github.io/hsts-priming/

--Richard



> Is there somewhere else I could look to read more about this interesting
> topic?
>
> Thanks,
>
> Ben
>
>
>
> *From:* Jim Manico [mailto:jim.manico@owasp.org]
> *Sent:* Tuesday, January 19, 2016 9:49 AM
> *To:* Richard Barnes <rbarnes@mozilla.com>
> *Cc:* Eric Mill <eric@konklone.com>; Mike West <mkwst@google.com>; Jim
> Manico <jim@manicode.com>; public-webappsec@w3.org
> *Subject:* Re: HSTS priming vs preloading
>
>
>
> I am just looking for (or am considering creating if none exists) a test
> to see how browsers handle HSTS and mixed content decisions. I just want to
> understand current behavior today access all browser that support HSTS.
>
> - Jim
>
> On 1/19/16 11:46 AM, Richard Barnes wrote:
>
> Which "this" do you mean?  If you mean "taking HSTS into account for MIX
> decisions", then you're not going to get much, since AFAIK no browser has
> implemented it yet.
>
>
>
> On Tue, Jan 19, 2016 at 10:00 AM, Jim Manico <jim.manico@owasp.org> wrote:
>
> Does anyone have an online test for this? I think understand and
> standardizing this behavior is important.
>
> - Jim
>
>
>
> On 1/18/16 3:11 PM, Eric Mill wrote:
>
> On Mon, Jan 18, 2016 at 7:11 AM, Mike West <mkwst@google.com> wrote:
>
> On Mon, Jan 18, 2016 at 1:05 PM, Jim Manico <jim@manicode.com> wrote:
>
> Forgive this indulgence, but does HSTS preloading have the same benefits
> of HSTS priming since preloaded HSTS would occur before the mixed content
> check?
>
>
>
> Yes. Basically, we'd only do a priming ping if the origin being requested
> wasn't already marked as HSTSized in the user's local browser. The fact
> that we _would_ do a priming ping for non-secure origins that aren't in the
> local browser's HSTS list ensures that we can do the upgrade without
> breakage.
>
>
>
> I may be remembering wrong, but I didn't think HSTS alone (preloaded or
> dynamic) would resolve mixed content issues.
>
>
>
> The stated concern with allowing HSTS to affect mixed-content rendering is
> that it would create different experiences per-user/session, and preloading
> does mitigate this concern, but I didn't think there was an actual code
> path in Chrome (or other browsers) where it decides to allow HSTS to
> override mixed content if the HSTS policy was preloaded.
>
>
>
> -- Eric
>
>
>
>
>
>
>

Received on Monday, 1 February 2016 20:57:19 UTC