HTTP Strict Transport Security (HSTS)
draft-ietf-websec-strict-transport-sec-06
The information below is for an old version of the document.
| Document | Type |
This is an older version of an Internet-Draft that was ultimately published as RFC 6797.
|
|
|---|---|---|---|
| Authors | Jeff Hodges , Collin Jackson , Adam Barth | ||
| Last updated | 2012-03-12 | ||
| Replaces | draft-hodges-strict-transport-sec | ||
| RFC stream | Internet Engineering Task Force (IETF) | ||
| Formats | |||
| Reviews | |||
| Additional resources | Mailing list discussion | ||
| Stream | WG state | WG Document | |
| Document shepherd | (None) | ||
| IESG | IESG state | Became RFC 6797 (Proposed Standard) | |
| Consensus boilerplate | Unknown | ||
| Telechat date | (None) | ||
| Responsible AD | Peter Saint-Andre | ||
| Send notices to | websec-chairs@tools.ietf.org, draft-ietf-websec-strict-transport-sec@tools.ietf.org |
draft-ietf-websec-strict-transport-sec-06
Internet-Draft HTTP Strict Transport Security (HSTS) March 2012 [GoodDhamijaEtAl05] Good, N., Dhamija, R., Grossklags, J., Thaw, D., Aronowitz, S., Mulligan, D., and J. Konstan, "Stopping Spyware at the Gate: A User Study of Privacy, Notice and Spyware", In Proceedings of Symposium On Usable Privacy and Security (SOUPS) Pittsburgh, PA, USA, July 2005, <http ://people.ischool.berkeley.edu/~rachna/papers/ spyware_study.pdf>. [I-D.ietf-tls-ssl-version3] Freier, A., Karlton, P., and P. Kocher, "The SSL Protocol Version 3.0", draft-ietf-tls-ssl-version3-00 (work in progress), November 1996, <http://tools.ietf.org/html/ draft-ietf-tls-ssl-version3-00>. This is the canonical reference for SSLv3.0. [JacksonBarth2008] Jackson, C. and A. Barth, "Beware of Finer-Grained Origins", Web 2.0 Security and Privacy Oakland, CA, USA, 2008, <http://www.adambarth.com/papers/2008/ jackson-barth-b.pdf>. [RFC1035] Mockapetris, P., "Domain names - implementation and specification", STD 13, RFC 1035, November 1987. [RFC4732] Handley, M., Rescorla, E., and IAB, "Internet Denial-of- Service Considerations", RFC 4732, December 2006. [RFC4949] Shirey, R., "Internet Security Glossary, Version 2", RFC 4949, August 2007. [RFC6265] Barth, A., "HTTP State Management Mechanism", RFC 6265, April 2011. [RFC6454] Barth, A., "The Web Origin Concept", RFC 6454, December 2011. [SunshineEgelmanEtAl09] Sunshine, J., Egelman, S., Almuhimedi, H., Atri, N., and L. Cranor, "Crying Wolf: An Empirical Study of SSL Warning Effectiveness", In Proceedings of 18th USENIX Security Symposium Montreal, Canada, Augus 2009, <http:// www.usenix.org/events/sec09/tech/full_papers/ sunshine.pdf>. [W3C.REC-wsc-ui-20100812] Hodges, et al. Expires September 13, 2012 [Page 34] Internet-Draft HTTP Strict Transport Security (HSTS) March 2012 Saldhana, A. and T. Roessler, "Web Security Context: User Interface Guidelines", World Wide Web Consortium Recommendation REC-wsc-ui-20100812, August 2010, <http://www.w3.org/TR/2010/REC-wsc-ui-20100812>. [WEBSEC] "WebSec -- HTTP Application Security Minus Authentication and Transport", <https://www.ietf.org/mailman/listinfo/websec>. Mailing list for IETF WebSec Working Group. [RFCEditor: please remove this reference upon publication as an RFC.] [WebTracking] Schmucker, N., "Web Tracking", SNET2 Seminar Paper Summer Term, 2011, <http://www.snet.tu-berlin.de/fileadmin/fg220/ courses/SS11/snet-project/web-tracking_schmuecker.pdf>. [owaspTLSGuide] Coates, M., Wichers, d., Boberski, M., and T. Reguly, "Transport Layer Protection Cheat Sheet", Accessed: 11- Jul-2010, <http://www.owasp.org/index.php/ Transport_Layer_Protection_Cheat_Sheet>. Appendix A. Design Decision Notes This appendix documents various design decisions. 1. Cookies aren't appropriate for HSTS Policy expression as they are potentially mutable (while stored in the UA), therefore an HTTP header field is employed. 2. We chose to not attempt to specify how "mixed security context loads" (aka "mixed content loads") are handled due to UA implementation considerations as well as classification difficulties. 3. A HSTS Host may update UA notions of HSTS Policy via new HSTS header field parameter values. We chose to have UAs honor the "freshest" information received from a server because there is the chance of a web site sending out an errornous HSTS Policy, such as a multi-year max-age value, and/or an incorrect includeSubDomains flag. If the HSTS Host couldn't correct such errors over protocol, it would require some form of annunciation to users and manual intervention on the users' part, which could be a non-trivial problem for both web application providers and their users. Hodges, et al. Expires September 13, 2012 [Page 35] Internet-Draft HTTP Strict Transport Security (HSTS) March 2012 4. HSTS Hosts are identified only via domain names -- explicit IP address identification of all forms is excluded. This is for simplification and also is in recognition of various issues with using direct IP address identification in concert with PKI-based security. Appendix B. Differences between HSTS Policy and Same-Origin Policy HSTS Policy has the following primary characteristics: HSTS Policy stipulates requirements for the security characteristics of UA-to-host connection establishment, on a per- host basis. Hosts explicitly declare HSTS Policy to UAs. Conformant UAs are obliged to implement hosts' declared HSTS Policies. HSTS Policy is conveyed over protocol from the host to the UA. The UA maintains a cache of Known HSTS Hosts. UAs apply HSTS Policy whenever making a HTTP connection to a Known HSTS Host, regardless of host port number. I.e., it applies to all ports on a Known HSTS Host. Hosts are unable to affect this aspect of HSTS Policy. Hosts may optionally declare that their HSTS Policy applies to all subdomains of their host domain name. In contrast, the Same-Origin Policy (SOP) [RFC6454] has the following primary characteristics: An origin is the scheme, host, and port of a URI identifying a resource. A UA may dereference a URI, thus loading a representation of the resource the URI identifies. UAs label resource representations with their origins, which are derived from their URIs. The SOP refers to a collection of principles, implemented within UAs, governing the isolation of and communication between resource representations within the UA, as well as resource representations' access to network resources. In summary, although both HSTS Policy and SOP are enforced by UAs, HSTS Policy is optionally declared by hosts and is not origin-based, while the SOP applies to all resource representations loaded from all Hodges, et al. Expires September 13, 2012 [Page 36] Internet-Draft HTTP Strict Transport Security (HSTS) March 2012 hosts by conformant UAs. Appendix C. Acknowledgments The authors thank Devdatta Akhawe, Michael Barrett, Tobias Gondrom, Paul Hoffman, Alexey Melnikov, Yoav Nir, Laksh Raghavan, Marsh Ray, Julian Reschke, Tom Ritter, Peter Saint-Andre, Sid Stamm, Maciej Stachowiak, Andy Steingrubl, Brandon Sterne, Martin Thomson, Daniel Veditz, as well as all the websec working group participants and others for their review and contributions. Thanks to Julian Reschke for his elegant re-writing of the effective request URI text, which he did when incorporating the ERU notion into the HTTPbis work. Subsequently, the ERU text in this spec was lifted from Julian's work in [I-D.draft-ietf-httpbis-p1-messaging-17] and adapted to the [RFC2616] ABNF. Appendix D. Change Log [RFCEditor: please remove this section upon publication as an RFC.] Changes are grouped by spec revision listed in reverse issuance order. D.1. For draft-ietf-websec-strict-transport-sec Changes from -05 to -06: 1. Addressed various editorial comments provided by Tobias G. This addresses issue ticket #38. <http://trac.tools.ietf.org/wg/websec/trac/ticket/38> Changes from -04 to -05: 1. Fixed up references to move certain ones back to the normative section -- as requested by Alexey M. Added explanation for referencing obsoleted [RFC3490] and [RFC3492]. This addresses issue ticket #36. <http://trac.tools.ietf.org/wg/websec/trac/ticket/36> 2. Made minor change to Strict-Transport-Security header field ABNF in order to address further feedback as appended to ticket #33. This addresses issue ticket #33. <http://trac.tools.ietf.org/wg/websec/trac/ticket/33> Hodges, et al. Expires September 13, 2012 [Page 37] Internet-Draft HTTP Strict Transport Security (HSTS) March 2012 Changes from -03 to -04: 1. Clarified that max-age=0 will cause UA to forget a known HSTS host, and more generally clarified that the "freshest" info from the HSTS host is cached, and thus HSTS hosts are able to alter the cached max-age in UAs. This addresses issue ticket #13. <http://trac.tools.ietf.org/wg/websec/trac/ticket/13> 2. Updated section on "Constructing an Effective Request URI" to remove remaining reference to RFC3986 and reference RFC2616 instead. Further addresses issue ticket #14. <http://trac.tools.ietf.org/wg/websec/trac/ticket/14> 3. Addresses further ABNF issues noted in comment:1 of issue ticket #27. <http://trac.tools.ietf.org/wg/websec/trac/ ticket/27#comment:1> 4. Reworked the introduction to clarify the denotation of "HSTS policy" and added the new Appendix B summarizing the primary characteristics of HSTS Policy and Same-Origin Policy, and identifying their differences. Added ref to [RFC4732]. This addresses issue ticket #28. <http://trac.tools.ietf.org/wg/websec/trac/ticket/28> 5. Reworked language in Section 2.3.1.3. wrt "mixed content", more clearly explain such vulnerability, disambiguate "mixed content" in web security context from its usage in markup language context. This addresses issue ticket #29. <http://trac.tools.ietf.org/wg/websec/trac/ticket/29> 6. Expanded Denial of Service discussion in Security Considerations. Added refs to [RFC4732] and [CWE-113]. This addresses issue ticket #30. <http://trac.tools.ietf.org/wg/websec/trac/ticket/30> 7. Mentioned in prose the case-insensitivity of directive names. This addresses issue ticket #31. <http://trac.tools.ietf.org/wg/websec/trac/ticket/31> 8. Added Section 10.3 "Implications of includeSubDomains". This addresses issue ticket #32. <http://trac.tools.ietf.org/wg/websec/trac/ticket/32> 9. Further refines text and ABNF definitions of STS header field directives. Retains use of quoted-string in directive grammar. This addresses issue ticket #33. <http://trac.tools.ietf.org/wg/websec/trac/ticket/33> Hodges, et al. Expires September 13, 2012 [Page 38] Internet-Draft HTTP Strict Transport Security (HSTS) March 2012 10. Added Section 14.7 "Creative Manipulation of HSTS Policy Store", including reference to [WebTracking]. This addresses issue ticket #34. <http://trac.tools.ietf.org/wg/websec/trac/ticket/34> 11. Added Section 14.1 "Ramifications of HSTS Policy Establishment only over Error-free Secure Transport" and made some accompanying editorial fixes in some other sections. This addresses issue ticket #35. <http://trac.tools.ietf.org/wg/websec/trac/ticket/35> 12. Refined references. Cleaned out un-used ones, updated to latest RFCs for others, consigned many to Informational. This addresses issue ticket #36. <http://trac.tools.ietf.org/wg/websec/trac/ticket/36> 13. Fixed-up some inaccuracies in the "Changes from -02 to -03" section. Changes from -02 to -03: 1. Updated section on "Constructing an Effective Request URI" to remove references to RFC3986. Addresses issue ticket #14. <http://trac.tools.ietf.org/wg/websec/trac/ticket/14> 2. Reference RFC5890 for IDNA, retaining subordinate refs to RFC3490. Updated IDNA-specific language, e.g. domain name canonicalization and IDNA dependencies. Addresses issue ticket #26 <http://trac.tools.ietf.org/wg/websec/trac/ticket/26>. 3. Completely re-wrote the STS header ABNF to be fully based on RFC2616, rather than a hybrid of RFC2616 and httpbis. Addresses issue ticket #27 <http://trac.tools.ietf.org/wg/websec/trac/ticket/27>. Changes from -01 to -02: 1. Updated Section 8.2 "URI Loading and Port Mapping" fairly thoroughly in terms of refining the presentation of the steps, and to ensure the various aspects of port mapping are clear. Nominally fixes issue ticket #1 <http://trac.tools.ietf.org/wg/websec/trac/ticket/1> 2. Removed dependencies on [I-D.draft-ietf-httpbis-p1-messaging-15]. Thus updated STS ABNF in Section 6.1 "Strict-Transport-Security HTTP Response Header Field" by lifting some productions entirely from Hodges, et al. Expires September 13, 2012 [Page 39] Internet-Draft HTTP Strict Transport Security (HSTS) March 2012 [I-D.draft-ietf-httpbis-p1-messaging-15] and leveraging [RFC2616]. Addresses issue ticket #2 <http://trac.tools.ietf.org/wg/websec/trac/ticket/2>. 3. Updated Effective Request URI section and definition to use language from [I-D.draft-ietf-httpbis-p1-messaging-15] and ABNF from [RFC2616]. Fixes issue ticket #3 <http://trac.tools.ietf.org/wg/websec/trac/ticket/3>. 4. Added explicit mention that the HSTS policy applies to all TCP ports of a host advertising the HSTS policy. Nominally fixes issue ticket #4 <http://trac.tools.ietf.org/wg/websec/trac/ticket/4> 5. Clarified the need for the "includeSubDomains" directive, e.g. to protect Secure-flagged domain cookies. In Section 14.2 "The Need for includeSubDomains". Nominally fixes issue ticket #5 <http://trac.tools.ietf.org/wg/websec/trac/ticket/5> 6. Cited Firesheep as real-live threat in Section 2.3.1.1 "Passive Network Attackers". Nominally fixes issue ticket #6 <http://trac.tools.ietf.org/wg/websec/trac/ticket/6>. 7. Added text to Section 11 "User Agent Implementation Advice" justifying connection termination due to tls warnings/errors. Nominally fixes issue ticket #7 <http://trac.tools.ietf.org/wg/websec/trac/ticket/7>. 8. Added new subsection Section 8.5 "Interstitially Missing Strict-Transport-Security Response Header Field". Nominally fixes issue ticket #8 <http://trac.tools.ietf.org/wg/websec/trac/ticket/8>. 9. Added text to Section 8.3 "Errors in Secure Transport Establishment" explicitly note revocation check failures as errors causing connection termination. Added references to [RFC5280] and [RFC2560]. Nominally fixes issue ticket #9 <http://trac.tools.ietf.org/wg/websec/trac/ticket/9>. 10. Added a sentence, noting that distributing specific end- entity certificates to browsers will also work for self- signed/private-CA cases, to Section 10 "Server Implementation and Deployment Advice" Nominally fixes issue ticket #10 <http://trac.tools.ietf.org/wg/websec/trac/ticket/10>. 11. Moved "with no user recourse" language from Section 8.3 "Errors in Secure Transport Establishment" to Section 11 Hodges, et al. Expires September 13, 2012 [Page 40] Internet-Draft HTTP Strict Transport Security (HSTS) March 2012 "User Agent Implementation Advice". This nominally fixes issue ticket #11 <http://trac.tools.ietf.org/wg/websec/trac/ticket/11>. 12. Removed any and all dependencies on [I-D.draft-ietf-httpbis-p1-messaging-15], instead depending on [RFC2616] only. Fixes issue ticket #12 <http://trac.tools.ietf.org/wg/websec/trac/ticket/12>. 13. Removed the inline "XXX1" issue because no one had commented on it and it seems reasonable to suggest as a SHOULD that web apps should redirect incoming insecure connections to secure connections. 14. Removed the inline "XXX2" issue because it was simply for raising consciousness about having some means for distributing secure web application metadata. 15. Removed "TODO1" because description prose for "max-age" in the Note following the ABNF in Section 6 seems to be fine. 16. Decided for "TODO2" that "the first STS header field wins". TODO2 had read: "Decide UA behavior in face of encountering multiple HSTS headers in a message. Use first header? Last?". Removed TODO2. 17. Added Section 1.1 "Organization of this specification" for readers' convenience. 18. Moved design decision notes to be a proper appendix Appendix A. Changes from -00 to -01: 1. Changed the "URI Loading" section to be "URI Loading and Port Mapping". 2. [HASMAT] reference changed to [WEBSEC]. 3. Changed "server" -> "host" where applicable, notably when discussing "HSTS Hosts". Left as "server" when discussing e.g. "http server"s. 4. Fixed minor editorial nits. Changes from draft-hodges-strict-transport-sec-02 to draft-ietf-websec-strict-transport-sec-00: Hodges, et al. Expires September 13, 2012 [Page 41] Internet-Draft HTTP Strict Transport Security (HSTS) March 2012 1. Altered spec metadata (e.g. filename, date) in order to submit as a WebSec working group Internet-Draft. D.2. For draft-hodges-strict-transport-sec Changes from -01 to -02: 1. updated abstract such that means for expressing HSTS Policy other than via HSTS header field is noted. 2. Changed spec title to "HTTP Strict Transport Security (HSTS)" from "Strict Transport Security". Updated use of "STS" acronym throughout spec to HSTS (except for when specifically discussing syntax of Strict-Transport-Security HTTP Response Header field), updated "Terminology" appropriately. 3. Updated the discussion of "Passive Network Attackers" to be more precise and offered references. 4. Removed para on nomative/non-normative from "Conformance Criteria" pending polishing said section to IETF RFC norms. 5. Added examples subsection to "Syntax" section. 6. Added OWS to maxAge production in Strict-Transport-Security ABNF. 7. Cleaned up explanation in the "Note:" in the "HTTP-over- Secure-Transport Request Type" section, folded 3d para into "Note:", added conformance clauses to the latter. 8. Added exaplanatory "Note:" and reference to "HTTP Request Type" section. Added "XXX1" issue. 9. Added conformance clause to "URI Loading". 10. Moved "Notes for STS Server implementors:" from "UA Implementation dvice " to "HSTS Policy expiration time considerations:" in "Server Implementation Advice", and also noted another option. 11. Added cautionary "Note:" to "Ability to delete UA's cached HSTS Policy on a per HSTS Server basis". 12. Added some informative references. 13. Various minor editorial fixes. Hodges, et al. Expires September 13, 2012 [Page 42] Internet-Draft HTTP Strict Transport Security (HSTS) March 2012 Changes from -00 to -01: 1. Added reference to HASMAT mailing list and request that this spec be discussed there. Authors' Addresses Jeff Hodges PayPal 2211 North First Street San Jose, California 95131 US Email: Jeff.Hodges@PayPal.com Collin Jackson Carnegie Mellon University Email: collin.jackson@sv.cmu.edu Adam Barth Google, Inc. Email: ietf@adambarth.com URI: http://www.adambarth.com/ Hodges, et al. Expires September 13, 2012 [Page 43]