Session Description Protocol (SDP) Format for Binary Floor Control Protocol (BFCP) Streams
draft-ietf-bfcpbis-rfc4583bis-22
The information below is for an old version of the document.
| Document | Type |
This is an older version of an Internet-Draft that was ultimately published as RFC 8856.
|
|
|---|---|---|---|
| Authors | Gonzalo Camarillo , Tom Kristensen , Christer Holmberg | ||
| Last updated | 2018-04-17 (Latest revision 2018-04-10) | ||
| RFC stream | Internet Engineering Task Force (IETF) | ||
| Formats | |||
| Reviews |
GENART Last Call review
(of
-26)
by Pete Resnick
Ready w/issues
|
||
| Additional resources | Mailing list discussion | ||
| Stream | WG state | WG Consensus: Waiting for Write-Up | |
| Document shepherd | Mary Barnes | ||
| IESG | IESG state | Became RFC 8856 (Proposed Standard) | |
| Consensus boilerplate | Yes | ||
| Telechat date | (None) | ||
| Responsible AD | (None) | ||
| Send notices to | (None) |
draft-ietf-bfcpbis-rfc4583bis-22
Network Working Group J. Hodges
Internet-Draft PayPal
Intended status: Standards Track C. Jackson
Expires: September 13, 2012 Carnegie Mellon University
A. Barth
Google, Inc.
March 12, 2012
HTTP Strict Transport Security (HSTS)
draft-ietf-websec-strict-transport-sec-06
Abstract
This specification defines a mechanism enabling Web sites to declare
themselves accessible only via secure connections, and/or for users
to be able to direct their user agent(s) to interact with given sites
only over secure connections. This overall policy is referred to as
HTTP Strict Transport Security (HSTS). The policy is declared by Web
sites via the Strict-Transport-Security HTTP response header field,
and/or by other means, such as user agent configuration, for example.
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 13, 2012.
Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
Hodges, et al. Expires September 13, 2012 [Page 1]
Internet-Draft HTTP Strict Transport Security (HSTS) March 2012
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1. Organization of this specification . . . . . . . . . . . . 5
2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.1. Use Cases . . . . . . . . . . . . . . . . . . . . . . . . 5
2.2. HTTP Strict Transport Security Policy Effects . . . . . . 5
2.3. Threat Model . . . . . . . . . . . . . . . . . . . . . . . 6
2.3.1. Threats Addressed . . . . . . . . . . . . . . . . . . 6
2.3.1.1. Passive Network Attackers . . . . . . . . . . . . 6
2.3.1.2. Active Network Attackers . . . . . . . . . . . . . 7
2.3.1.3. Web Site Development and Deployment Bugs . . . . . 7
2.3.2. Threats Not Addressed . . . . . . . . . . . . . . . . 7
2.3.2.1. Phishing . . . . . . . . . . . . . . . . . . . . . 7
2.3.2.2. Malware and Browser Vulnerabilities . . . . . . . 8
2.4. Requirements . . . . . . . . . . . . . . . . . . . . . . . 8
2.4.1. Overall Requirement . . . . . . . . . . . . . . . . . 8
2.4.1.1. Detailed Core Requirements . . . . . . . . . . . . 8
2.4.1.2. Detailed Ancillary Requirements . . . . . . . . . 9
3. Conformance Criteria . . . . . . . . . . . . . . . . . . . . . 10
3.1. Document Conventions . . . . . . . . . . . . . . . . . . . 10
4. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 10
5. HSTS Mechanism Overview . . . . . . . . . . . . . . . . . . . 12
6. Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
6.1. Strict-Transport-Security HTTP Response Header Field . . . 13
6.1.1. The max-age Directive . . . . . . . . . . . . . . . . 14
6.1.2. The includeSubDomains Directive . . . . . . . . . . . 14
6.2. Examples . . . . . . . . . . . . . . . . . . . . . . . . . 14
7. Server Processing Model . . . . . . . . . . . . . . . . . . . 14
7.1. HTTP-over-Secure-Transport Request Type . . . . . . . . . 15
7.2. HTTP Request Type . . . . . . . . . . . . . . . . . . . . 15
8. User Agent Processing Model . . . . . . . . . . . . . . . . . 16
8.1. Strict-Transport-Security Response Header Field
Processing . . . . . . . . . . . . . . . . . . . . . . . . 16
8.1.1. Noting a HSTS Host . . . . . . . . . . . . . . . . . . 17
8.1.2. Known HSTS Host Domain Name Matching . . . . . . . . . 17
8.2. URI Loading and Port Mapping . . . . . . . . . . . . . . . 18
8.3. Errors in Secure Transport Establishment . . . . . . . . . 19
8.4. HTTP-Equiv <Meta> Element Attribute . . . . . . . . . . . 19
8.5. Interstitially Missing Strict-Transport-Security
Response Header Field . . . . . . . . . . . . . . . . . . 19
Hodges, et al. Expires September 13, 2012 [Page 2]
Internet-Draft HTTP Strict Transport Security (HSTS) March 2012
9. Domain Name IDNA-Canonicalization . . . . . . . . . . . . . . 20
10. Server Implementation and Deployment Advice . . . . . . . . . 20
10.1. HSTS Policy expiration time considerations . . . . . . . . 20
10.2. Using HSTS in conjunction with self-signed public-key
certificates . . . . . . . . . . . . . . . . . . . . . . . 21
10.3. Implications of includeSubDomains . . . . . . . . . . . . 22
11. User Agent Implementation Advice . . . . . . . . . . . . . . . 22
11.1. No User Recourse . . . . . . . . . . . . . . . . . . . . . 23
11.2. User-declared HSTS Policy . . . . . . . . . . . . . . . . 23
11.3. HSTS Pre-Loaded List . . . . . . . . . . . . . . . . . . . 23
11.4. Disallow Mixed Security Context . . . . . . . . . . . . . 24
11.5. HSTS Policy Deletion . . . . . . . . . . . . . . . . . . . 24
12. Constructing an Effective Request URI . . . . . . . . . . . . 24
12.1. ERU Fundamental Definitions . . . . . . . . . . . . . . . 24
12.2. Determining the Effective Request URI . . . . . . . . . . 25
12.2.1. Effective Request URI Examples . . . . . . . . . . . . 26
13. Internationalized Domain Names for Applications (IDNA):
Dependency and Migration . . . . . . . . . . . . . . . . . . . 26
14. Security Considerations . . . . . . . . . . . . . . . . . . . 26
14.1. Ramifications of HSTS Policy Establishment only over
Error-free Secure Transport . . . . . . . . . . . . . . . 27
14.2. The Need for includeSubDomains . . . . . . . . . . . . . . 28
14.3. Denial of Service . . . . . . . . . . . . . . . . . . . . 28
14.4. Bootstrap MITM Vulnerability . . . . . . . . . . . . . . . 29
14.5. Network Time Attacks . . . . . . . . . . . . . . . . . . . 30
14.6. Bogus Root CA Certificate Phish plus DNS Cache
Poisoning Attack . . . . . . . . . . . . . . . . . . . . . 30
14.7. Creative Manipulation of HSTS Policy Store . . . . . . . . 30
14.8. Internationalized Domain Names . . . . . . . . . . . . . . 30
15. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 31
16. References . . . . . . . . . . . . . . . . . . . . . . . . . . 31
16.1. Normative References . . . . . . . . . . . . . . . . . . . 31
16.2. Informative References . . . . . . . . . . . . . . . . . . 33
Appendix A. Design Decision Notes . . . . . . . . . . . . . . . . 35
Appendix B. Differences between HSTS Policy and Same-Origin
Policy . . . . . . . . . . . . . . . . . . . . . . . 36
Appendix C. Acknowledgments . . . . . . . . . . . . . . . . . . . 37
Appendix D. Change Log . . . . . . . . . . . . . . . . . . . . . 37
D.1. For draft-ietf-websec-strict-transport-sec . . . . . . . . 37
D.2. For draft-hodges-strict-transport-sec . . . . . . . . . . 42
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 43
Hodges, et al. Expires September 13, 2012 [Page 3]
Internet-Draft HTTP Strict Transport Security (HSTS) March 2012
1. Introduction
The HTTP protocol [RFC2616] may be used over various transports,
typically the Transmission Control Protocol (TCP). However, TCP does
not provide channel integrity protection, confidentiality, nor secure
host identification. Thus the Secure Sockets Layer (SSL) protocol
[I-D.ietf-tls-ssl-version3] and its successor Transport Layer
Security (TLS) [RFC5246], were developed in order to provide channel-
oriented security, and are typically layered between application
protocols and TCP. [RFC2818] specifies how HTTP is layered onto TLS,
and defines the Uniform Resource Identifier (URI) scheme of "https"
(in practice however, HTTP user agents (UAs) typically offer their
users choices among SSL2, SSL3, and TLS for secure transport).
UAs employ various local security policies with respect to the
characteristics of their interactions with web resources depending on
(in part) whether they are communicating with a given web resource's
host using HTTP or HTTP-over-a-Secure-Transport. For example,
cookies ([RFC6265]) may be flagged as Secure. UAs are to send such
Secure cookies to their addressed host only over a secure transport.
This is in contrast to non-Secure cookies, which are returned to the
host regardless of transport (although modulo other rules).
UAs typically annunciate to their users any issues with secure
connection establishment, such as being unable to validate a TLS
server certificate trust chain, or if a TLS server certificate is
expired, or if a TLS host's domain name appears incorrectly in the
TLS server certificate (see section 3.1 of [RFC2818]). Often, UAs
enable users to elect to continue to interact with a web resource's
host in the face of such issues. This behavior is sometimes referred
to as "click(ing) through" security [GoodDhamijaEtAl05]
[SunshineEgelmanEtAl09], and thus can be described as "click-through
insecurity".
A key vulnerability enabled by click-through insecurity is the
leaking of any cookies the web resource may be using to manage a
user#x27; line for a BFCP connection:
m=application 50000 TCP/TLS/BFCP *
4. Floor Control Roles
When two endpoints establish a BFCP stream, they need to determine
which of them acts as floor control client and which acts as floor
control server. Typically, a client that establishes a BFCP stream
with a conference server will act as floor control client, while the
conference server will act as floor control server. However, there
are scenarios where both endpoints would be able to act as floor
control server. For example, in a two-party session that involves an
audio stream and a shared whiteboard, the endpoints need to determine
which party will be act as floor control server.
Furthermore, there are situations where both endpoints act as both
floor control client and floor control server within the same
session. For example, in a two-party session that involves an audio
stream and a shared whiteboard, one endpoint acts as the floor
control server for the audio stream and the other endpoint acts as
the floor control server for the shared whiteboard. However, for a
given BFCP-controlled media stream one endpoint MUST act as floor
control client and one endpoint MUST act as floor control server.
Camarillo, et al. Expires October 12, 2018 [Page 4]
Internet-Draft BFCP April 2018
5. SDP 'floorctrl' Attribute
This section defines the SDP 'floorctrl' media-level attribute. The
attribute is used to determine the floor control role(s) that the
endpoints can take for the BFCP-controlled media streams. As
described in Section 5, an endpoint can take different roles for
different media streams, but for a given media stream an endpoint can
only take one role.
The Augmented BNF syntax [2] for the attribute is:
floor-control-attribute = "a=floorctrl:" role *(SP role)
role = "c-only" / "s-only" / "c-s"
An endpoint includes the attribute to indicate the role(s) it would
be willing to perform for the BFCP-controlled media streams:
c-only: The endpoint is willing to act as floor control client.
s-only: The endpoint is willing to act as floor control server only.
c-s: The endpoint is willing to act as floor control client and
floor control server.
When inserted in an offer, the offerer MAY indicate multiple
attribute values. When inserted in an answer, the answerer MUST
indicate only one attribute value. The offerer indicates which floor
control role(s) that it is willing to take. The answerer indicates
the role taken by the answerer. Based on this, the floor control
role(s) of the offerer is determined, as shown in Table 1.
+---------+----------+
| Offerer | Answerer |
+---------+----------+
| c-only | s-only |
| s-only | c-only |
| c-s | c-s |
+---------+----------+
Table 1: Roles
Endpoints compliant with [16] might not include the 'floorctrl'
attribute in offers and answerer. If the 'floorctrl' attribute is
not present the offerer will act as floor control client, and the
answerer will act as floor control server, for each BFCP-controlled
media stream.
Camarillo, et al. Expires October 12, 2018 [Page 5]
Internet-Draft BFCP April 2018
The SDP Offer/Answer procedures for the 'floorctrl' attribute are
defined in Section 13.
The following is an example of a 'floorctrl' attribute in an offer:
a=floorctrl:c-only s-only c-s
6. SDP 'confid' and 'userid' Attributes
This section defines the SDP 'confid' and the 'userid' media-level
attributes. The attributes are used by a floor control server to
convey the conference ID value and user ID value to the floor control
client, using decimal integer representation.
The Augmented BNF syntax [2] for the attributes is:
confid-attribute = "a=confid:" conference-id
conference-id = token
userid-attribute = "a=userid:" user-id
user-id = token
token-char = %x21 / %x23-27 / %x2A-2B / %x2D-2E / %x30-39
/ %x41-5A / %x5E-7E
token = 1*(token-char)
;token-char and token elements are defined in [RFC4566].
The SDP Offer/Answer procedures for the 'confid' and 'userid'
attributes are defined in Section 13.
7. SDP 'floorid' Attribute
This section defines the SDP 'floorid' media-level attribute. The
attribute conveys a floor identifier, and optionally pointers to one
or more BFCP-controlled media streams.
The Augmented BNF syntax [2] for the attribute is:
floor-id-attribute = "a=floorid:" token SP "mstrm:" token *(SP token)
The floor identifier value is the integer representation of the Floor
ID to be used in BFCP. Each media stream pointer value is associated
with an SDP 'label' attribute [8] of a media stream.
The SDP Offer/Answer procedures for the 'floorid' attribute are
defined in Section 13.
Camarillo, et al. Expires October 12, 2018 [Page 6]
Internet-Draft BFCP April 2018
Note: In [16] 'm-stream' was erroneously used in Section 14.
Although the example was non-normative, it is implemented by some
vendors and occurs in cases where the endpoint is willing to act
as an server. Therefore, it is RECOMMENDED to support parsing and
interpreting 'm-stream' the same way as 'mstrm' when receiving.
8. SDP 'bfcpver' Attribute
This section defines the SDP 'bfcpver' media-level attribute. The
attribute is used to negotiate the BFCP version.
The Augmented BNF syntax [2] for the attributes is:
bfcp-version-attribute = "a=bfcpver:" bfcp-version *(SP bfcp-version)
bfcp-version = token
An endpoint uses the 'bfcpver' attribute to convey the version(s) of
BFCP supported by the endpoint, using integer values. For a given
version, the attribute value representing the version MUST match the
"Version" field that would be presented in the BFCP COMMON-HEADER
[7]. The BFCP version that will eventually be used will be conveyed
with a BFCP-level Hello/HelloAck.
Endpoints compliant with [16] might not always include the 'bfcpver'
attribute in offers and answers. If the 'bfcpver' attribute is not
present, the default values are inferred from the transport specified
in the 'm' line (Section 3) associated with the stream. In
accordance with definition of the Version field in [7], when used
over a reliable transport the default attribute value is "1", and
when used over an unreliable transport the default attribute value is
"2".
The SDP Offer/Answer procedures for the 'bfcpver' attribute are
defined in Section 13.
9. Multiplexing Considerations
[20] defines how multiplexing of multiple media streams can be
negotiated. This specification does not define how BFCP streams can
be multiplexed with other media streams. Therefore, a BFCP stream
MUST NOT be associated with a BUNDLE group [20]. Note that BFCP-
controlled media streams might be multiplexed with other media
streams.
[21] defines the mux categories for the SDP attributes defined in
this specification, excluding the SDP 'bfcpver' attribute. . Table 2
defines the mux category for the 'bfcpver' attribute:
Camarillo, et al. Expires October 12, 2018 [Page 7]
Internet-Draft BFCP April 2018
+---------+------------------------+-------+--------------+
| Name | Notes | Level | Mux Category |
+---------+------------------------+-------+--------------+
| bfcpver | Needs further analysis | M | TBD |
+---------+------------------------+-------+--------------+
Table 2: Multiplexing Attribute Analysis
10. BFCP Connection Management
BFCP streams can use TCP or UDP as the underlying transport.
Endpoints exchanging BFCP messages over UDP send the BFCP messages
towards the peer using the connection address and port provided in
the SDP 'c' and 'm' lines. TCP connection management is more
complicated and is described in the following Section.
Note: When using Interactive Connectivity Establishment (ICE)
[17], TCP/DTLS/BFCP, and UDP/TLS/BFCP, the straight-forward
procedures for connection management as UDP/BFCP described above
apply. TCP/TLS/BFCP follows the same procedures as TCP/BFCP and
is described below.
10.1. TCP Connection Management
The management of the TCP connection used to transport BFCP messages
is performed using the SDP 'setup' and 'connection' attributes [6].
The 'setup' attribute indicates which of the endpoints initiates the
TCP connection. The 'connection' attribute handles TCP connection
re-establishment.
The BFCP specification [7] describes a number of situations when the
TCP connection between a floor control client and the floor control
server needs to be re-established. However, that specification does
not describe the re-establishment process because this process
depends on how the connection was established in the first place.
Endpoints using the offer/answer mechanism follow the following
rules.
When the existing TCP connection is closed and re-established
following the rules in [7], the floor control client MUST send an
offer towards the floor control server in order to re-establish the
connection. If a TCP connection cannot deliver a BFCP message and
times out, the endpoint that attempted to send the message (i.e., the
one that detected the TCP timeout) MUST send an offer in order to re-
establish the TCP connection.
Endpoints that use the offer/answer mechanism to negotiate TCP
connections MUST support the 'setup' and 'connection' attributes.
Camarillo, et al. Expires October 12, 2018 [Page 8]
Internet-Draft BFCP April 2018
11. Authentication
When a BFCP stream is negotiated using the SDP offer/answer
mechanism, it is assumed that the offerer and the answerer
authenticate each other using some mechanism. TLS/DTLS is the
preferred mechanism. Other mechanisms are possible, but are outside
the scope of this document. Once this mutual authentication takes
place, all the offerer and the answerer need to ensure is that the
entity they are receiving BFCP messages from is the same as the one
that generated the previous offer or answer.
The initial mutual authentication SHOULD take place at the signaling
level. Additionally, signaling can use S/MIME [5] to provide an
integrity-protected channel with optional confidentiality for the
offer/answer exchange. BFCP takes advantage of this integrity-
protected offer/answer exchange to perform authentication. Within
the offer/answer exchange, the offerer and answerer exchange the
fingerprints of their self-signed certificates. These self-signed
certificates are then used to establish the TLS/DTLS connection that
will carry BFCP traffic between the offerer and the answerer.
Endpoints follow the rules in [9] regarding certificate choice and
presentation. Endpoints that use the offer/answer model to establish
BFCP streams MUST support the 'fingerprint' attribute and MUST
include it in their offers and answers.
When TLS is used with TCP, once the underlying connection is
established, the answerer, which can be the floor control client or
the floor control server, acts as the TLS server regardless of its
role (passive or active) in the TCP establishment procedure. If the
TCP connection is lost, the active endpoint is responsible for re-
establishing the TCP connection. Unless a new TLS session is
negotiated, subsequent SDP offers and answers will not impact the
previously negotiated TLS roles.
When DTLS is used with UDP, the requirements specified in Section 5
of [14] MUST be followed.
Note: How to determine which endpoint initiates the TLS/DTLS
association depends on the selected underlying transport. It was
decided to keep the original semantics in [16] for TCP to retain
backwards compatibility. When using UDP, the procedure defined in
[14] was selected in order to be compatible with other DTLS based
protocol implementations, such as DTLS-SRTP. Furthermore, the
procedure defined in [14] do not overload offer/answer semantics
and works for offerless INVITE in scenarios with B2BUAs.
Camarillo, et al. Expires October 12, 2018 [Page 9]
Internet-Draft BFCP April 2018
12. ICE Considerations
Generic SDP offer/answer procedures for Interactive Connectivity
Establishment (ICE) are defined in [18].
When BFCP is used with UDP based ICE candidates [17] then the
procedures for UDP/TLS/BFCP are used.
When BFCP is used with TCP based ICE candidates [13] then the
procedures for TCP/DTLS/BFCP are used.
Based on the procedures defined in [14], endpoints treat all ICE
candidate pairs associated with a BFCP stream on top of a DTLS
association as part of the same DTLS association. Thus, there will
only be one BFCP handshake and one DTLS handshake even if there are
multiple valid candidate pairs, and if BFCF media is shifted between
candidate pairs (including switching between UDP to TCP candidate
pairs) prior to nomination. If new candidates are added, they will
also be part of the same DTLS association.
In order to maximize the likelihood of interoperability between the
endpoints, all ICE enabled BFCP-over-DTLS endpoints SHOULD implement
support for UDP/TLS/BFCP.
When an SDP offer or answer conveys multiple ICE candidates for a
BFCP stream, UDP based candidates SHOULD be included and the default
candidate SHOULD be chosen from one of those UDP candidates. If UDP
transport is used for the default candidate, then the 'm' line proto
value MUST be 'UDP/TLS/BFCP'. If TCP transport is used for the
default candidate, the 'm' line proto value MUST be 'TCP/DTLS/BFCP'.
Note: Usage of ICE with protocols other than UDP/TLS/BFCP and
TCP/DTLS/BFCP is outside of scope for this specification.
13. SDP Offer/Answer Procedures
This section defines the SDP offer/answer [4] procedures for
negotiating and establishing a BFCP stream. Generic procedures for
DTLS are defined in [14]. Generic procedures for TLS are defined in
[9].
This section only defines the BFCP-specific procedures. Unless
explicitly stated otherwise, the procedures apply to an 'm' line
describing a BFCP stream. If an offer or answer contains multiple
'm' lines describing BFCP streams, the procedures are applied
independently to each stream.
Camarillo, et al. Expires October 12, 2018 [Page 10]
Internet-Draft BFCP April 2018
If the 'm' line 'proto' value is 'TCP/TLS/BFCP', 'TCP/DTLS/BFCP' or
'UDP/TLS/BFCP', the offerer and answerer follow the generic
procedures defined in [9].
If the 'm' line proto value is 'TCP/BFCP', 'TCP/TLS/BFCP', 'TCP/DTLS/
TCP' or 'UDP/TLS/BFCP', the offerer and answerer use the SDP 'setup'
attribute according to the procedures in [6].
If the 'm' line proto value is 's session. The threat here is that an attacker could obtain the
cookies and then interact with the legitimate web resource while
impersonating the user.
Jackson and Barth proposed an approach, in [ForceHTTPS], to enable
web resources to declare that any interactions by UAs with the web
resource must be conducted securely, and that any issues with
establishing a secure transport session are to be treated as fatal
and without direct user recourse. The aim is to prevent click-
through insecurity, and address other potential threats.
This specification embodies and refines the approach proposed in
Hodges, et al. Expires September 13, 2012 [Page 4]
Internet-Draft HTTP Strict Transport Security (HSTS) March 2012
[ForceHTTPS]. For example, rather than using a cookie to convey
policy from a web resource's host to a UA, it defines an HTTP
response header field for this purpose. Additionally, a web
resource's host may declare its policy to apply to the entire domain
name subtree rooted at its host name. This enables HSTS to protect
so-called "domain cookies", which are applied to all subdomains of a
given web resource's host name.
This specification also incorporates notions from [JacksonBarth2008]
in that policy is applied on an "entire-host" basis: it applies to
all TCP ports of the issuing host.
Note that the policy defined by this specification is distinctly
different than the "same-origin policy" defined in "The Web Origin
Concept" [RFC6454]. These differences are summarized below in
Appendix B.
1.1. Organization of this specification
This specification begins with an overview of the use cases, policy
effects, threat models, and requirements for HSTS (in Section 2).
Then, Section 3 defines conformance requirements. The HSTS mechanism
itself is formally specified in Section 4 through Section 15.
2. Overview
This section discusses the use cases, summarizes the HTTP Strict
Transport Security (HSTS) policy, and continues with a discussion of
the threat model, non-addressed threats, and derived requirements.
2.1. Use Cases
The high-level use case is a combination of:
o Web browser user wishes to interact with various web sites (some
arbitrary, some known) in a secure fashion.
o Web site deployer wishes to offer their site in an explicitly
secure fashion for both their own, as well as their users',
benefit.
2.2. HTTP Strict Transport Security Policy Effects
The effects of the HTTP Strict Transport Security (HSTS) Policy, as
applied by a UA in interactions with a web resource host wielding
such policy (known as a HSTS Host), are summarized as follows:
Hodges, et al. Expires September 13, 2012 [Page 5]
Internet-Draft HTTP Strict Transport Security (HSTS) March 2012
1. All insecure ("http") connections to any TCP ports on a HSTS Host
are redirected by the HSTS Host to be secure connections
("https").
2. The UA terminates any secure transport connection attempts upon
any and all secure transport errors or warnings, including those
caused by a web application presenting self-signed certificates.
3. UAs transform insecure URI references to a HSTS Host into secure
URI references before dereferencing them.
2.3. Threat Model
HSTS is concerned with three threat classes: passive network
attackers, active network attackers, and imperfect web developers.
However, it is explicitly not a remedy for two other classes of
threats: phishing and malware. Addressed and not addressed threats
are briefly discussed below. Readers may wish refer to [ForceHTTPS]
for details as well as relevant citations.
2.3.1. Threats Addressed
2.3.1.1. Passive Network Attackers
When a user browses the web on a local wireless network (e.g., an
802.11-based wireless local area network) a nearby attacker can
possibly eavesdrop on the user's unencrypted Internet Protocol-based
connections, such as HTTP, regardless of whether or not the local
wireless network itself is secured [BeckTews09]. Freely available
wireless sniffing toolkits (e.g., [Aircrack-ng]) enable such passive
eavesdropping attacks, even if the local wireless network is
operating in a secure fashion. A passive network attacker using such
tools can steal session identifiers/cookies and hijack the user's web
session(s), by obtaining cookies containing authentication
credentials [ForceHTTPS]. For example, there exist widely-available
tools, such as Firesheep (a Firefox extension) [Firesheep], which
enable their wielder to obtain other local users' session cookies for
various web applications.
To mitigate such threats, some Web sites support, but usually do not
force, access using end-to-end secure transport -- e.g., signaled
through URIs constructed with the "https" scheme [RFC2818]. This can
lead users to believe that accessing such services using secure
transport protects them from passive network attackers.
Unfortunately, this is often not the case in real-world deployments
as session identifiers are often stored in non-Secure cookies to
permit interoperability with versions of the service offered over
insecure transport ("Secure cookies" are those cookies containing the
Hodges, et al. Expires September 13, 2012 [Page 6]
Internet-Draft HTTP Strict Transport Security (HSTS) March 2012
"Secure" attribute [RFC6265]). For example, if the session
identifier for a web site (an email service, say) is stored in a non-
Secure cookie, it permits an attacker to hijack the user's session if
the user's UA makes a single insecure HTTP request to the site.
2.3.1.2. Active Network Attackers
A determined attacker can mount an active attack, either by
impersonating a user's DNS server or, in a wireless network, by
spoofing network frames or offering a similarly-named evil twin
access point. If the user is behind a wireless home router, an
attacker can attempt to reconfigure the router using default
passwords and other vulnerabilities. Some sites, such as banks, rely
on end-to-end secure transport to protect themselves and their users
from such active attackers. Unfortunately, browsers allow their
users to easily opt-out of these protections in order to be usable
for sites that incorrectly deploy secure transport, for example by
generating and self-signing their own certificates (without also
distributing their CA certificate to their users' browsers).
2.3.1.3. Web Site Development and Deployment Bugs
The security of an otherwise uniformly secure site (i.e. all of its
content is materialized via "https" URIs), can be compromised
completely by an active attacker exploiting a simple mistake, such as
the loading of a cascading style sheet or a SWF movie over an
insecure connection (both cascading style sheets and SWF movies can
script the embedding page, to the surprise of many web developers,
plus some browsers do not issue so-called "mixed content warnings"
when SWF files are embedded via insecure connections). Even if the
site's developers carefully scrutinize their login page for "mixed
content", a single insecure embedding anywhere on the overall site
compromises the security of their login page because an attacker can
script (i.e., control) the login page by injecting script into
another, insecurely loaded, site page.
Note: "Mixed content" as used above (see also section 5.3 in
[W3C.REC-wsc-ui-20100812]) refers to the notion termed "mixed
security context" in this specification, and should not be
confused with the same "mixed content" term used in the
context of markup languages such as XML and HTML.
2.3.2. Threats Not Addressed
2.3.2.1. Phishing
Phishing attacks occur when an attacker solicits authentication
credentials from the user by hosting a fake site located on a
Hodges, et al. Expires September 13, 2012 [Page 7]
Internet-Draft HTTP Strict Transport Security (HSTS) March 2012
different domain than the real site, perhaps driving traffic to the
fake site by sending a link in an email message. Phishing attacks
can be very effective because users find it difficult to distinguish
the real site from a fake site. HSTS is not a defense against
phishing per se; rather, it complements many existing phishing
defenses by instructing the browser to protect session integrity and
long-lived authentication tokens [ForceHTTPS].
2.3.2.2. Malware and Browser Vulnerabilities
Because HSTS is implemented as a browser security mechanism, it
relies on the trustworthiness of the user's system to protect the
session. Malicious code executing on the user's system can
compromise a browser session, regardless of whether HSTS is used.
2.4. Requirements
This section identifies and enumerates various requirements derived
from the use cases and the threats discussed above, and lists the
detailed core requirements HTTP Strict Transport Security addresses,
as well as ancillary requirements that are not directly addressed.
2.4.1. Overall Requirement
o Minimize the risks to web browser users and web site deployers
that are derived from passive and active network attackers, web
site development and deployment bugs, as well as insecure user
actions.
2.4.1.1. Detailed Core Requirements
These core requirements are derived from the overall requirement, and
are addressed by this specification.
1. Web sites need to be able to declare to UAs that they should be
interacted with using a strict security policy.
2. Web sites need to be able to instruct UAs that contact them
insecurely to do so securely.
3. UAs need to persistently remember web sites that signal strict
security policy enablement, for time spans declared by the web
sites. Additionally, UAs need to cache the "freshest" strict
security policy information, in order to allow web sites to
update the information.
4. UAs need to re-write all insecure UA "http" URI loads to use the
"https" secure scheme for those web sites for which secure policy
Hodges, et al. Expires September 13, 2012 [Page 8]
Internet-Draft HTTP Strict Transport Security (HSTS) March 2012
is enabled.
5. Web site administrators need to be able to signal strict security
policy application to subdomains of higher-level domains for
which strict security policy is enabled, and UAs need to enforce
such policy.
For example, both example.com and foo.example.com could set
policy for bar.foo.example.com.
6. UAs need to disallow security policy application to peer domains,
and/or higher-level domains, by domains for which strict security
policy is enabled.
For example, neither bar.foo.example.com nor foo.example.com can
set policy for example.com, nor can bar.foo.example.com set
policy for foo.example.com. Also, foo.example.com cannot set
policy for sibling.example.com.
7. UAs need to prevent users from clicking-through security
warnings. Halting connection attempts in the face of secure
transport exceptions is acceptable.
Note: A means for uniformly securely meeting the first core
requirement above is not specifically addressed by this
specification (see Section 14.4 "Bootstrap MITM
Vulnerability"). It may be addressed by a future revision of
this specification or some other specification. Note also
that there are means by which UA implementations may more
fully meet the first core requirement, see Section 11 "User
Agent Implementation Advice".
2.4.1.2. Detailed Ancillary Requirements
These ancillary requirements are also derived from the overall
requirement. They are not normatively addressed in this
specification, but could be met by UA implementations at their
implementor's discretion, although meeting these requirements may be
complex.
1. Disallow "mixed security context" loads (see Section 2.3.1.3,
above).
2. Facilitate user declaration of web sites for which strict
security policy is enabled, regardless of whether the sites
signal HSTS Policy.
Hodges, et al. Expires September 13, 2012 [Page 9]
Internet-Draft HTTP Strict Transport Security (HSTS) March 2012
3. Conformance Criteria
This specification is written for hosts and user agents (UAs).
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
A conformant host is one that implements all the requirements listed
in this specification that are applicable to hosts.
A conformant user agent is one that implements all the requirements
listed in this specification that are applicable to user agents.
3.1. Document Conventions
Note: This is a note to the reader. These are points that should be
expressly kept in mind and/or considered.
Warning: This is how a warning is shown. These are things that can
have suboptimal downside risks if not heeded.
4. Terminology
Terminology is defined in this section.
ASCII case-insensitive comparison
means comparing two strings exactly, codepoint for
codepoint, except that the characters in the range
U+0041 .. U+005A (i.e. LATIN CAPITAL LETTER A to
LATIN CAPITAL LETTER Z) and the corresponding
characters in the range U+0061 .. U+007A (i.e.
LATIN SMALL LETTER A to LATIN SMALL LETTER Z) are
considered to also match. See [Unicode6] for
details.
codepoint is a colloquial contraction of Code Point, which is
any value in the Unicode codespace; that is, the
range of integers from 0 to 10FFFF(hex) [Unicode6].
domain name domain names, also referred to as DNS Names, are
defined in [RFC1035] to be represented outside of
the DNS protocol itself (and implementations
thereof) as a series of labels separated by dots,
e.g., "example.com" or "yet.another.example.org".
In the context of this specification, domain names
appear in that portion of a URI satisfying the reg-
Hodges, et al. Expires September 13, 2012 [Page 10]
Internet-Draft HTTP Strict Transport Security (HSTS) March 2012
name production in "Appendix A. Collected ABNF for
URI" in [RFC3986], and the host component from the
Host HTTP header field production in section 14.23
of [RFC2616].
Note: The domain names appearing in actual URI
instances and matching the aforementioned
production components may or may not be a
fully qualified domain name.
domain name label is that portion of a domain name appearing "between
the dots", i.e. consider "foo.example.com": "foo",
"example", and "com" are all domain name labels.
Effective Request URI
is a URI, identifying the target resource, that can
be inferred by an HTTP host for any given HTTP
request it receives. Such inference is necessary
because HTTP requests often do not contain a
complete "absolute" URI identifying the target
resource. See Section 12 "Constructing an
Effective Request URI", below.
HTTP Strict Transport Security
is the overall name for the combined UA- and
server-side security policy defined by this
specification.
HTTP Strict Transport Security Host
is a HTTP host implementing the server aspects of
the HSTS policy. This means that an HSTS Host
returns the "Strict-Transport-Security" HTTP
response header field in its HTTP response messages
sent over secure transport.
HTTP Strict Transport Security Policy
is the name of the combined overall UA- and server-
side facets of the behavior specified in this
specification.
HSTS See HTTP Strict Transport Security.
HSTS Host See HTTP Strict Transport Security Host.
Hodges, et al. Expires September 13, 2012 [Page 11]
Internet-Draft HTTP Strict Transport Security (HSTS) March 2012
HSTS Policy See HTTP Strict Transport Security Policy.
Known HSTS Host is a HSTS Host for which the UA has a HSTS Policy
in effect. I.e., the UA has noted this host as a
Known HSTS Host.
Local policy is comprised of policy rules deployers specify and
which are often manifested as "configuration
settings".
MITM is an acronym for man-in-the-middle. See "man-in-
the-middle attack" in [RFC4949].
Request URI is the URI used to cause a UA to issue an HTTP
request message.
UA is a an acronym for user agent. For the purposes
of this specification, a UA is an HTTP client
application typically actively manipulated by a
user [RFC2616] .
unknown HSTS Host is a HSTS Host that the user agent in question has
not yet noted.
5. HSTS Mechanism Overview
This section provides an overview of the mechanism by which an HSTS
Host conveys its HSTS Policy to UAs, and how UAs process the HSTS
Policies received from HSTS Hosts. The mechanism details are
specified in Section 6 through Section 15.
An HSTS Host conveys its HSTS Policy to UAs via the Strict-Transport-
Security HTTP response header field over secure transport (e.g.,
TLS). Receipt of this header field signals to UAs to enforce the
HSTS Policy for all subsequent connections made to the HSTS Host, for
a specified time duration. Application of the HSTS Policy to
subdomains of the HSTS Host name may optionally be specified.
HSTS Hosts manage their advertised HSTS Policies by sending Strict-
Transport-Security HTTP response header fields to UAs with new values
for policy time duration and application to subdomains. UAs cache
the "freshest" HSTS Policy information on behalf of an HSTS Host.
Specifying a zero time duration signals to the UA to delete the HSTS
policy for that HSTS host.
Section 6.2 presents examples of Strict-Transport-Security HTTP
response header fields.
Hodges, et al. Expires September 13, 2012 [Page 12]
Internet-Draft HTTP Strict Transport Security (HSTS) March 2012
6. Syntax
This section defines the syntax of the Strict-Transport-Security HTTP
response header field and its directives, and presents some examples.
Section 7 "Server Processing Model" then details how hosts employ
this header field to declare their HSTS Policy, and Section 8 "User
Agent Processing Model" details how user agents process the header
field and apply the HSTS Policy.
6.1. Strict-Transport-Security HTTP Response Header Field
The Strict-Transport-Security HTTP response header field (STS header
field) indicates to a UA that it MUST enforce the HSTS Policy in
regards to the host emitting the response message containing this
header field.
The ABNF syntax for the STS header field is:
Strict-Transport-Security = "Strict-Transport-Security" ":"
*( ";" [ directive ] )
directive = token [ "=" ( token | quoted-string ) ]
where:
token = <token, defined in [RFC2616], Section 2.2>
quoted-string = <quoted-string, defined in [RFC2616], Section 2.2>
The two directives defined in this specification are described below.
The overall requirements for directives are:
o The order of appearance of directives is not significant.
o All directives MUST appear only once in an STS header field.
o Directive names are case-insensitive.
o UAs MUST ignore any STS header fields containing directives that
do not conform to their ABNF definition.
Additional directives extending the semantic functionality of the STS
header field may be defined in other specifications (which "update"
this specification), using the STS directive extension point.
Hodges, et al. Expires September 13, 2012 [Page 13]
Internet-Draft HTTP Strict Transport Security (HSTS) March 2012
6.1.1. The max-age Directive
The REQUIRED max-age directive specifies the number of seconds, after
the reception of the STS header field, during which the UA regards
the host, from whom the message was received, as a Known HSTS Host
(see also Section 8.1.1 "Noting a HSTS Host", below). The delta-
seconds production is specified in [RFC2616].
The syntax of the max-age directive is defined as:
max-age = "max-age" "=" delta-seconds
delta-seconds = <1*DIGIT, defined in [RFC2616], Section 3.3.2>
Note: A max-age value of zero signals the UA to cease regarding the
host as a Known HSTS Host.
6.1.2. The includeSubDomains Directive
The OPTIONAL includeSubDomains directive is a flag which, if present,
signals to the UA that the HSTS Policy applies to this HSTS Host as
well as any subdomains of the host's domain name.
The syntax of the includeSubDomains directive is defined as:
includeSubDomains = "includeSubDomains"
6.2. Examples
The below HSTS header field stipulates that the HSTS policy is to
remain in effect for one year (there are approximately 31 536 000
seconds in a year), and the policy applies only to the domain of the
HSTS Host issuing it:
Strict-Transport-Security: max-age=31536000
The below HSTS header field stipulates that the HSTS policy is to
remain in effect for approximately six months and the policy applies
only to the domain of the issuing HSTS Host and all of its
subdomains:
Strict-Transport-Security: max-age=15768000 ; includeSubDomains
7. Server Processing Model
This section describes the processing model that HSTS Hosts
implement. The model is comprised of two facets: the first being the
Hodges, et al. Expires September 13, 2012 [Page 14]
Internet-Draft HTTP Strict Transport Security (HSTS) March 2012
processing rules for HTTP request messages received over a secure
transport (e.g., TLS [RFC5246], SSL [I-D.ietf-tls-ssl-version3], or
perhaps others), the second being the processing rules for HTTP
request messages received over non-secure transports, i.e. over
TCP/IP.
7.1. HTTP-over-Secure-Transport Request Type
When replying to an HTTP request that was conveyed over a secure
transport, a HSTS Host SHOULD include in its response message a STS
header field that MUST satisfy the grammar specified above in
Section 6.1 "Strict-Transport-Security HTTP Response Header Field".
If a STS header field is included, the HSTS Host MUST include only
one such header field.
Note: Including the STS header field is stipulated as a "SHOULD" in
order to accommodate various server- and network-side caches
and load-balancing configurations where it may be difficult to
uniformly emit STS header fields on behalf of a given HSTS
Host.
Establishing a given host as a Known HSTS Host, in the context
of a given UA, MAY be accomplished over the HTTP protocol by
correctly returning, per this specification, at least one
valid STS header field to the UA. Other mechanisms, such as a
client-side pre-loaded Known HSTS Host list MAY also be used.
E.g., see Section 11 "User Agent Implementation Advice".
7.2. HTTP Request Type
If a HSTS Host receives a HTTP request message over a non-secure
transport, it SHOULD send a HTTP response message containing a
Status-Code of 301 and a Location header field value containing
either the HTTP request's original Effective Request URI (see
Section 12 "Constructing an Effective Request URI", below) altered as
necessary to have a URI scheme of "https", or a URI generated
according to local policy (which SHOULD employ a URI scheme of
"https").
Note: The above behavior is a "SHOULD" rather than a "MUST" because:
* There are risks in server-side non-secure-to-secure redirects
[owaspTLSGuide].
* Site deployment characteristics -- e.g., a site that
incorporates third-party components may not behave correctly
when doing server-side non-secure-to-secure redirects in the
case of being accessed over non-secure transport, but does
Hodges, et al. Expires September 13, 2012 [Page 15]
Internet-Draft HTTP Strict Transport Security (HSTS) March 2012
behave correctly when accessed uniformly over secure transport.
The latter is the case given a HSTS-capable UA that has already
noted the site as a Known HSTS Host (by whatever means, e.g.,
prior interaction or UA configuration).
A HSTS Host MUST NOT include the STS header field in HTTP responses
conveyed over non-secure transport.
8. User Agent Processing Model
This section describes the HTTP Strict Transport Security processing
model for UAs. There are several facets to the model, enumerated by
the following subsections.
This processing model assumes that the UA implements IDNA2008
[RFC5890], or possibly IDNA2003 [RFC3490], as noted in Section 13
"Internationalized Domain Names for Applications (IDNA): Dependency
and Migration". It also assumes that all domain names manipulated in
this specification's context are already IDNA-canonicalized as
outlined in Section 9 "Domain Name IDNA-Canonicalization" prior to
the processing specified in this section.
The above assumptions mean that this processing model also
specifically assumes that appropriate IDNA and Unicode validations
and character list testing have occurred on the domain names, in
conjunction with their IDNA-canonicalization, prior to the processing
specified in this section. See the IDNA-specific security
considerations in Section 14.8 "Internationalized Domain Names" for
rationale and further details.
8.1. Strict-Transport-Security Response Header Field Processing
If an HTTP response, received over a secure transport, includes a STS
header field, conforming to the grammar specified in Section 6.1
"Strict-Transport-Security HTTP Response Header Field" (above), and
there are no underlying secure transport errors or warnings (see
Section 8.3, below), the UA MUST either:
o Note the host as a Known HSTS Host if it is not already so noted
(see Section 8.1.1 "Noting a HSTS Host&'TCP/BFCP', 'TCP/TLS/BFCP' or
'TCP/DTLS/BFCP', the offerer and anwerer use the SDP 'connection'
attribute according to the procedures in [6].
Note: The use of source-specific SDP parameters [19] is not
defined to BFCP streams.
13.1. Generating the Initial SDP Offer
When the offerer creates an initial offer, the offerer MUST associate
an SDP 'floorctrl' attribute (Section 5) with the 'm' line.
In addition, if the offerer includes an SDP 'floorctrl' attribute
with 's-only' or 'c-s' attribute values in the offer, the offerer:
o MUST associate an SDP 'confid' attribute (Section 6) with the 'm'
line;
o MUST associate an SDP 'userid' attribute (Section 6) with the 'm'
line;
o MUST associate an SDP 'floorid' attribute (Section 7) with the 'm'
line;
o MUST associate an SDP 'label' attribute (Section 7) with the 'm'
line of each BFCP-controlled media stream; and
o MUST associate an SDP 'bfcpver' attribute (Section 8) with the 'm'
line.
Note: If the offerer includes an SDP 'floorctrl' attribute with a
'c-s' attribute value, or both a 'c-only' and a 's-only' attribute
value, in the offer, the attribute values above will only be used
if it is determined (Section 5) that the offerer will act as floor
control server. If it is determined that the offerer will act as
both floor control server and floor control client, the attribute
values will be used for the BFCP-controlled media streams where
the offerer acts as floor control server.
Camarillo, et al. Expires October 12, 2018 [Page 11]
Internet-Draft BFCP April 2018
13.2. Generating the SDP Answer
When the answerer receives an offer, which contains an 'm' line
describing a BFCP stream, if the answerer accepts the 'm' line it:
o MUST insert a corresponding 'm' line in the answer, with an
identical 'm' line proto value [4]
o MUST, if the offer contained an SDP 'floorctrl' attribute,
associate a 'floorctrl' attribute with the 'm' line;
In addition, if the answerer includes an SDP 'floorctrl' attribute
with 's-only' or 'c-s' attribute values in the answer, the answerer:
o MUST associate an SDP 'confid' attribute with the 'm' line;
o MUST associate an SDP 'userid' attribute with the 'm' line;
o MUST associate an SDP 'floorid' attribute with the 'm' line;
o MUST associate an SDP 'label' attribute with the 'm' line of each
BFCP-controlled media stream; and
o MUST associate a 'bfcpver' attribute with the 'm' line.
Note: If the answerer includes an SDP 'floorctrl' attribute with
an 'c-s' attribute value in the answer, the attribute values will
be used for the BFCP-controlled media streams where the answerer
acts as floor control server.
Note: An offerer compliant with [16] might not include 'floorctrl'
and 'bfcpver' attributes in offers, in which cases the default
values apply.
Once the answerer has sent the answer, the answerer:
o MUST, if the answerer is the 'active' endpoint, and if a TCP
connection associated with the 'm' line is to be established (or
re-established), initiate the establishing of the TCP connection;
and
o MUST, if the answerer is the 'active' endpoint, and if an TLS/DTLS
connection associated with the 'm' line is to be established (or
re-established), initiate the establishing of the TLS/DTLS
connection (by sending a ClientHello message).
If the answerer does not accept the 'm' line in the offer, it MUST
assign a zero port value to the corresponding 'm' line in the answer.
Camarillo, et al. Expires October 12, 2018 [Page 12]
Internet-Draft BFCP April 2018
In addition, the answerer MUST NOT establish a TCP connection or a
TLS/DTLS connection associated with the 'm' line.
13.3. Offerer Processing of the SDP Answer
When the offerer receives an answer, which contains an 'm' line with
a non-zero port value, describing a BFCP stream, the offerer:
o MUST, if the offer is the 'active' endpoint, and if a TCP
connection associated with the 'm' line is to be established (or
re-established), initiate the establishing of the TCP connection;
and
o MUST, if the offerer is the 'active' endpoint, and if an TLS/DTLS
connection associated with the 'm' line is to be established (or
re-established), initiate the establishing of the TLS/DTLS
connection (by sending a ClientHello message).
Note: An answerer compliant with [16] might not include
'floorctrl' and 'bfcpver' attributes in answers, in which cases
the default values apply.
If the 'm' line in the answer contains a zero port value, or if the
offerer for some other reason does not accept the answer, the offerer
MUST NOT establish a TCP connection or a TLS/DTLS connection
associated with the 'm' line.
13.4. Modifying the Session
When an offerer sends an updated offer, in order to modify a
previously established BFCP stream, it follows the procedures in
Section 13.1, with the following exceptions:
o If the BFCP stream is carried on top of TCP, and if the offerer
does not want to re-establish an existing TCP connection, the
offerer MUST associate an SDP connection attribute with an
'existing' value, with the 'm' line; and
o If the offerer wants to disable a previously established BFCP
stream, it MUST assign a zero port value to the 'm' line
associated with the BFCP connection, following the procedures in
[4].
14. Examples
For the purpose of brevity, the main portion of the session
description is omitted in the examples, which only show 'm' lines and
their attributes.
Camarillo, et al. Expires October 12, 2018 [Page 13]
Internet-Draft BFCP April 2018
The following is an example of an offer sent by a conference server
to a client.
m=application 50000 TCP/TLS/BFCP *
a=setup:actpass
a=connection:new
a=fingerprint:sha-256 \
19:E2:1C:3B:4B:9F:81:E6:B8:5C:F4:A5:A8:D8:73:04: \
BB:05:2F:70:9F:04:A9:0E:05:E9:26:33:E8:70:88:A2
a=floorctrl:c-only s-only
a=confid:4321
a=userid:1234
a=floorid:1 mstrm:10
a=floorid:2 mstrm:11
a=bfcpver:1
m=audio 50002 RTP/AVP 0
a=label:10
m=video 50004 RTP/AVP 31
a=label:11
Note that due to RFC formatting conventions, this document splits SDP
across lines whose content would exceed 72 characters. A backslash
character marks where this line folding has taken place. This
backslash and its trailing CRLF and whitespace would not appear in
actual SDP content.
The following is the answer returned by the client.
m=application 9 TCP/TLS/BFCP *
a=setup:active
a=connection:new
a=fingerprint:sha-256 \
6B:8B:F0:65:5F:78:E2:51:3B:AC:6F:F3:3F:46:1B:35: \
DC:B8:5F:64:1A:24:C2:43:F0:A1:58:D0:A1:2C:19:08
a=floorctrl:c-only
m=audio 55000 RTP/AVP 0
m=video 55002 RTP/AVP 31
A similar example using unreliable transport and DTLS is shown below,
where the offer is sent from a client.
Camarillo, et al. Expires October 12, 2018 [Page 14]
Internet-Draft BFCP April 2018
m=application 50000 UDP/TLS/BFCP *
a=setup:actpass
a=dtls-id:abc3dl
a=fingerprint:sha-256 \
19:E2:1C:3B:4B:9F:81:E6:B8:5C:F4:A5:A8:D8:73:04: \
BB:05:2F:70:9F:04:A9:0E:05:E9:26:33:E8:70:88:A2
a=floorctrl:c-only s-only
a=confid:4321
a=userid:1234
a=floorid:1 mstrm:10
a=floorid:2 mstrm:11
a=bfcpver:2
m=audio 50002 RTP/AVP 0
a=label:10
m=video 50004 RTP/AVP 31
a=label:11
The following is the answer returned by the server.
m=application 55000 UDP/TLS/BFCP *
a=setup:active
a=dtls-id:abc3dl
a=fingerprint:sha-256 \
6B:8B:F0:65:5F:78:E2:51:3B:AC:6F:F3:3F:46:1B:35: \
DC:B8:5F:64:1A:24:C2:43:F0:A1:58:D0:A1:2C:19:08
a=floorctrl:s-only
a=confid:4321
a=userid:1234
a=floorid:1 mstrm:10
a=floorid:2 mstrm:11
a=bfcpver:2
m=audio 55002 RTP/AVP 0
m=video 55004 RTP/AVP 31
15. Security Considerations
The BFCP [7], SDP [10], and offer/answer [4] specifications discuss
security issues related to BFCP, SDP, and offer/answer, respectively.
In addition, [6] and [9] discuss security issues related to the
establishment of TCP and TLS connections using an offer/answer model.
Furthermore, when using DTLS over UDP, considerations for its use
with RTP and RTCP are presented in [14]. The requirements for the
offer/answer exchange, as listed in Section 5 of [14], MUST be
followed.
An initial integrity-protected channel is REQUIRED for BFCP to
exchange self-signed certificates between a client and the floor
quot;, below),
or,
o Update its cached information for the Known HSTS Host if the max-
age and/or includeSubDomains header field value tokens are
conveying information different than that already maintained by
the UA.
Hodges, et al. Expires September 13, 2012 [Page 16]
Internet-Draft HTTP Strict Transport Security (HSTS) March 2012
Note: The max-age value is essentially a "time to live" value
relative to the reception time of the STS header field.
If the max-age header field value token has a value of zero,
the UA MUST remove its cached HSTS Policy information if the
HSTS Host is known, or, MUST NOT note this HSTS Host if it is
not yet known.
If a UA receives more than one STS header field in a HTTP
response message over secure transport, then the UA MUST
process only the first such header field.
Otherwise:
o If an HTTP response is received over insecure transport, the UA
MUST ignore any present STS header field(s).
o The UA MUST ignore any STS header fields not conforming to the
grammar specified in Section 6.1 "Strict-Transport-Security HTTP
Response Header Field" (above).
8.1.1. Noting a HSTS Host
If the substring matching the host production from the Request-URI,
that the host responded to, syntactically matches the IP-literal or
IPv4address productions from section 3.2.2 of [RFC3986], then the UA
MUST NOT note this host as a Known HSTS Host.
Otherwise, if the substring does not congruently match a presently
known HSTS Host, per the matching procedure specified in
Section 8.1.2 "Known HSTS Host Domain Name Matching" below, then the
UA MUST note this host as a Known HSTS Host, caching the HSTS Host's
domain name and noting along with it the expiry time of this
information, as effectively stipulated per the given max-age value,
as well as whether the includeSubDomains flag is asserted or not.
8.1.2. Known HSTS Host Domain Name Matching
A UA determines whether a domain name represents a Known HSTS Host by
looking for a match between the query Domain Name and the UA's set of
Known HSTS Hosts.
1. Compare the query domain name string with the Domain Names of the
UA's set of Known HSTS Hosts. For each Known HSTS Host's domain
name, the comparison is done with the query domain name label-by-
label using an ASCII case-insensitive comparison beginning with
the rightmost label, continuing right-to-left, and ignoring
separator characters. See also section 2.3.2.4. of [RFC5890].
Hodges, et al. Expires September 13, 2012 [Page 17]
Internet-Draft HTTP Strict Transport Security (HSTS) March 2012
* If a label-for-label match between an entire Known HSTS Host's
domain name and a right-hand portion of the query domain name
is found, then the Known HSTS Host's domain name is a
superdomain match for the query domain name.
For example:
Query Domain Name: bar.foo.example.com
Superdomain matched
Known HSTS Host DN: foo.example.com
At this point, the query domain name is ascertained to
effectively represent a Known HSTS Host. There may also be
additional matches further down the domain name label tree, up
to and including a congruent match.
* If a label-for-label match between a Known HSTS Host's domain
name and the query domain name is found, i.e. there are no
further labels to compare, then the query domain name
congruently matches this Known HSTS Host.
For example:
Query Domain Name: foo.example.com
Congruently matched
Known HSTS Host DN: foo.example.com
The query domain name is ascertained to represent a Known HSTS
Host. However, if there are also superdomain matches, the one
highest in the tree asserts the HSTS Policy for this Known
HSTS Host.
* Otherwise, if no matches are found, the query domain name does
not represent a Known HSTS Host.
8.2. URI Loading and Port Mapping
Whenever the UA prepares to "load", also known as "dereference", any
URI where the host component of the authority component of the URI
[RFC3986] matches that of a Known HSTS Host (either as a congruent
match or as a superdomain match where the superdomain Known HSTS Host
has includeSubDomains asserted), then before proceeding with the
load:
Hodges, et al. Expires September 13, 2012 [Page 18]
Internet-Draft HTTP Strict Transport Security (HSTS) March 2012
If the URI's scheme is "http", then the UA MUST replace the URI
scheme with "https" [RFC2818], and,
if the URI contains an explicit port component [RFC3986] of
"80", then the UA MUST convert the port component to be "443",
or,
if the URI contains an explicit port component that is not
equal to "80", the port component value MUST be preserved,
otherwise,
if the URI does not contain an explicit port component, the UA
MUST NOT add one.
Otherwise, if the URI's scheme is "https", then the UA MUST NOT
modify the URI before dereferencing it.
Note that the implication of the above steps is that the HSTS policy
applies to all TCP ports on a host advertising the HSTS policy.
8.3. Errors in Secure Transport Establishment
When connecting to a Known HSTS Host, the UA MUST terminate the
connection (see also Section 11 "User Agent Implementation Advice",
below) if there are any errors (e.g., certificate errors), whether
"warning" or "fatal" or any other error level, with the underlying
secure transport. This includes any issues with certificate
revocation checking whether via the Certificate Revocation List (CRL)
[RFC5280], or via the Online Certificate Status Protocol (OCSP)
[RFC2560].
8.4. HTTP-Equiv <Meta> Element Attribute
UAs MUST NOT heed http-equiv="Strict-Transport-Security" attribute
settings on <meta> elements in received content.
8.5. Interstitially Missing Strict-Transport-Security Response Header
Field
If a UA receives HTTP responses from a Known HSTS Host over a secure
channel, but they are missing the STS header field, the UA MUST
continue to treat the host as a Known HSTS Host until the max-age
value for the knowledge of that Known HSTS Host is reached. Note
that the max-age could be infinite for a given Known HSTS Host. For
example, if the Known HSTS Host is part of a pre-configured list that
is implemented such that the list entries never "age out".
Hodges, et al. Expires September 13, 2012 [Page 19]
Internet-Draft HTTP Strict Transport Security (HSTS) March 2012
9. Domain Name IDNA-Canonicalization
An IDNA-canonicalized domain name is the string generated by the
following algorithm, whose input must be a valid Unicode-encoded (in
NFC form [Unicode6]) string-serialized domain name:
1. Convert the domain name to a sequence of individual domain name
label strings.
2. When implementing IDNA2008, convert each label that is not a Non-
Reserved LDH (NR-LDH) label, to an A-label. See Section 2.3.2 of
[RFC5890] for definitions of the former and latter, refer to
Sections 5.3 through 5.5 of [RFC5891] for the conversion
algorithm and requisite input validation and character list
testing procedures.
Otherwise, when implementing IDNA2003, convert each label using
the "ToASCII" conversion in Section 4 of [RFC3490] (see also the
definition of "equivalence of labels" in Section 2 of the latter
specification).
3. Concatenate the resulting labels, separating each label from the
next with (".") a %x2E character.
See also Section 13 "Internationalized Domain Names for Applications
(IDNA): Dependency and Migration" and Section 14.8 "Internationalized
Domain Names" of this specification for further details and
considerations.
10. Server Implementation and Deployment Advice
This section is non-normative.
10.1. HSTS Policy expiration time considerations
Server implementations and deploying web sites need to consider
whether they are setting an expiry time that is a constant value into
the future, e.g., by constantly sending the same max-age value to
UAs.
For example, a max-age value of 778000 is 90 days:
Strict-Transport-Security: max-age=778000
Note that each receipt of this header by a UA will require the UA to
update its notion of when it must delete its knowledge of this Known
HSTS Host. The specifics of how this is accomplished is out of the
Hodges, et al. Expires September 13, 2012 [Page 20]
Internet-Draft HTTP Strict Transport Security (HSTS) March 2012
scope of this specification.
Or, whether they are setting an expiry time that is a fixed point in
time, e.g., by sending max-age values that represent the remaining
time until the expiry time.
A consideration here is whether a deployer wishes to have the
signaled HSTS Policy expiry time match that for the web site's domain
certificate.
Additionally, server implementers should consider employing a default
max-age value of zero in their deployment configuration systems.
This will require deployers to wilfully set max-age in order to have
UAs enforce the HSTS Policy for their host, and protects them from
inadvertently enabling HSTS with some arbitrary non-zero duration.
10.2. Using HSTS in conjunction with self-signed public-key
certificates
If a web site/organization/enterprise is generating their own secure
transport public-key certificates for web sites, and that
organization's root certification authority (CA) certificate is not
typically embedded by default in browser CA certificate stores, and
if HSTS Policy is enabled on a site identifying itself using a self-
signed certificate, then secure connections to that site will fail,
per the HSTS design. This is to protect against various active
attacks, as discussed above.
However, if said organization strongly wishes to employ self-signed
certificates, and their own CA in concert with HSTS, they can do so
by deploying their root CA certificate to their users' browsers.
They can also, in addition or instead, distribute to their users'
browsers the end-entity certificate(s) for specific hosts. There are
various ways in which this can be accomplished (details are out of
scope for this specification). Once their root CA certificate is
installed in the browsers, they may employ HSTS Policy on their
site(s).
Note: Interactively distributing root CA certificates to users,
e.g., via email, and having the users install them, is
arguably training the users to be susceptible to a possible
form of phishing attack, see Section 14.6 "Bogus Root CA
Certificate Phish plus DNS Cache Poisoning Attack".
Hodges, et al. Expires September 13, 2012 [Page 21]
Internet-Draft HTTP Strict Transport Security (HSTS) March 2012
10.3. Implications of includeSubDomains
The includeSubDomains directive has some practical implications --
for example, if a HSTS Host offers HTTP-based services on various
ports or at various subdomains of its host domain name, then they
will all have to be available over secure transport in order to work
properly.
For example, certification authorities often offer their CRL
distribution and OCSP services over plain HTTP, and sometimes at a
subdomain of a publicly-available web application which may be
secured by TLS/SSL. For example, <https://example-ca.com/> is a
publicly-available web application for "Example CA", a certification
authority. Customers use this web application to register their
public keys and obtain certificates. Example CA generates
certificates for customers containing
<http://crl-and-ocsp.example-ca.com/> as the value for the "CRL
Distribution Points" and "Authority Information Access:OCSP"
certificate fields.
If example-ca.com were to issue an HSTS Policy with the
includeSubDomains directive, then HTTP-based user agents implementing
HSTS, and that have interacted with the example-ca.com web
application, would fail to retrieve CRLs and fail to check OCSP for
certificates because these services are offered over plain HTTP.
In this case, Example CA can either:
o not use the includeSubDomains directive, or,
o ensure HTTP-based services offered at subdomains of example-ca.com
are uniformly offered over TLS/SSL, or,
o offer plain HTTP-based services at a different domain name, e.g.,
example-ca-services.net.
11. User Agent Implementation Advice
This section is non-normative.
In order to provide users and web sites more effective protection, as
well as controls for managing their UA's caching of HSTS Policy, UA
implementors should consider including features such as:
Hodges, et al. Expires September 13, 2012 [Page 22]
Internet-Draft HTTP Strict Transport Security (HSTS) March 2012
11.1. No User Recourse
Failing secure connection establishment on any warnings or errors
(per Section 8.3 "Errors in Secure Transport Establishment"), should
be done with "no user recourse". This means that the user should not
be presented with an explanatory dialog giving her the option to
proceed. Rather, it should be treated similarly to a server error
where there is nothing further the user can do with respect to
interacting with the target web application, other than wait and re-
try.
Essentially, "any warnings or errors" means anything that would cause
the UA implementation to annunciate to the user that something is not
entirely correct with the connection establishment.
Not doing this, i.e., allowing user recourse such as "clicking-
through warning/error dialogs", is a recipe for a Man-in-the-Middle
attack. If a web application advertises HSTS, then it is opting into
this scheme, whereby all certificate errors or warnings cause a
connection termination, with no chance to "fool" the user into making
the wrong decision and compromising themselves.
11.2. User-declared HSTS Policy
Ability for users to explicitly declare a given Domain Name as
representing a HSTS Host, thus seeding it as a Known HSTS Host before
any actual interaction with it. This would help protect against the
Section 14.4 "Bootstrap MITM Vulnerability".
Note: Such a feature is difficult to get right on a per-site basis
-- see the discussion of "rewrite rules" in section 5.5 of
[ForceHTTPS]. For example, arbitrary web sites may not
materialize all their URIs using the "https" scheme, and thus
could "break" if a UA were to attempt to access the site
exclusively using such URIs. Also note that this feature
would complement, but is independent of the following
described facility.
11.3. HSTS Pre-Loaded List
Facility whereby web site administrators can have UAs pre-configured
with HSTS Policy for their site(s) by the UA vendor(s) -- a so-called
"pre-loaded list" -- in a manner similar to how root CA certificates
are embedded in browsers "at the factory". This would help protect
against the Section 14.4 "Bootstrap MITM Vulnerability".
Hodges, et al. Expires September 13, 2012 [Page 23]
Internet-Draft HTTP Strict Transport Security (HSTS) March 2012
Note: Such a facility would complement a "User-declared HSTS Policy"
feature.
11.4. Disallow Mixed Security Context
Disallowing "mixed security context" (also known as "mixed content")
loads (see section 5.3 "Mixed Content" in [W3C.REC-wsc-ui-20100812]).
Note: In order to provide behavioral uniformity across UA
implementations, the notion of mixed security context will
require further standardization work, e.g., to more clearly
define the term(s) and to define specific behaviors with
respect to it.
11.5. HSTS Policy Deletion
Ability to delete UA's cached HSTS Policy on a per HSTS Host basis.
Note: Adding such a feature should be done very carefully in both
the user interface and security senses. Deleting a cache
entry for a Known HSTS Host should be a very deliberate and
well-considered act -- it shouldn't be something users get
used to just "clicking through" in order to get work done.
Also, it shouldn't be possible for an attacker to inject
script into the UA that silently and programmatically removes
entries from the UA's cache of Known HSTS Hosts.
12. Constructing an Effective Request URI
This section specifies how an HSTS Host must construct the Effective
Request URI for a received HTTP request.
HTTP requests often do not carry an absoluteURI for the target
resource; instead, the URI needs to be inferred from the Request-URI,
Host header field, and connection context ([RFC2616], Sections 3.2.1
and 5.1.2). The result of this process is called the "effective
request URI (ERU)". The "target resource" is the resource identified
by the effective request URI.
12.1. ERU Fundamental Definitions
The first line of an HTTP request message, Request-Line, is specified
by the following ABNF from [RFC2616], section 5.1:
Request-Line = Method SP Request-URI SP HTTP-Version CRLF
The Request-URI, within the Request-Line, is specified by the
Hodges, et al. Expires September 13, 2012 [Page 24]
Internet-Draft HTTP Strict Transport Security (HSTS) March 2012
following ABNF from [RFC2616], section 5.1.2:
Request-URI = "*" | absoluteURI | abs_path | authority
The Host request header field is specified by the following ABNF from
[RFC2616], section 14.23:
Host = "Host" ":" host [ ":" port ]
12.2. Determining the Effective Request URI
If the Request-URI is an absoluteURI, then the effective request URI
is the Request-URI.
If the Request-URI uses the abs_path form or the asterisk form, and
the Host header field is present, then the effective request URI is
constructed by concatenating:
o the scheme name: "http" if the request was received over an
insecure TCP connection, or "https" when received over a TLS/
SSL-secured TCP connection, and,
o the octet sequence "://", and,
o the host, and the port (if present), from the Host header field,
and
o the Request-URI obtained from the Request-Line, unless the
Request-URI is just the asterisk "*".
If the Request-URI uses the abs_path form or the asterisk form, and
the Host header field is not present, then the effective request URI
is undefined.
Otherwise, when Request-URI uses the authority form, the effective
request URI is undefined.
Effective request URIs are compared using the rules described in
[RFC2616] Section 3.2.3, except that empty path components MUST NOT
be treated as equivalent to an absolute path of "/".
Hodges, et al. Expires September 13, 2012 [Page 25]
Internet-Draft HTTP Strict Transport Security (HSTS) March 2012
12.2.1. Effective Request URI Examples
Example 1: the effective request URI for the message
GET /pub/WWW/TheProject.html HTTP/1.1
Host: www.example.org:8080
(received over an insecure TCP connection) is "http", plus "://",
plus the authority component "www.example.org:8080", plus the
request-target "/pub/WWW/TheProject.html". Thus it is:
"http://www.example.org:8080/pub/WWW/TheProject.html".
Example 2: the effective request URI for the message
OPTIONS * HTTP/1.1
Host: www.example.org
(received over an SSL/TLS secured TCP connection) is "https", plus
"://", plus the authority component "www.example.org". Thus it is:
"https://www.example.org".
13. Internationalized Domain Names for Applications (IDNA): Dependency
and Migration
Textual domain names on the modern Internet may contain one or more
"internationalized" domain name labels. Such domain names are
referred to as "internationalized domain names" (IDNs). The
specification suites defining IDNs and the protocols for their use
are named "Internationalized Domain Names for Applications (IDNA)".
At this time, there are two such specification suites: IDNA2008
[RFC5890] and its predecessor IDNA2003 [RFC3490].
IDNA2008 obsoletes IDNA2003, but there are differences between the
two specifications, and thus there can be differences in processing
(e.g., converting) domain name labels that have been registered under
one from those registered under the other. There will be a
transition period of some time during which IDNA2003-based domain
name labels will exist in the wild. User agents SHOULD implement
IDNA2008 [RFC5890] and MAY implement [RFC5895] (see also Section 7 of
[RFC5894]) or [UTS46] in order to facilitate their IDNA transition.
If a user agent does not implement IDNA2008, the user agent MUST
implement IDNA2003.
14. Security Considerations
Hodges, et al. Expires September 13, 2012 [Page 26]
Internet-Draft HTTP Strict Transport Security (HSTS) March 2012
14.1. Ramifications of HSTS Policy Establishment only over Error-free
Secure Transport
The User Agent Processing Model defined in Section 8, stipulates that
a host is initially noted as a Known HSTS Host, or that updates are
made to a Known HSTS Host's cached information, only if the UA
receives the STS header field over a secure transport connection
having no underlying secure transport errors or warnings.
The rationale behind this is that if there is a man-in-the-middle
(MITM) -- whether a legitimately deployed proxy or an illegitimate
entity -- it could cause various mischief (see also Appendix A
"Design Decision Notes", item 3, as well as Section 14.4 "Bootstrap
MITM Vulnerability" ), for example:
o Unauthorized notation of the host as a Known HSTS Host,
potentially leading to a denial of service situation if the host
does not uniformly offer its services over secure transport (see
also Section 14.3 "Denial of Service".
o Resetting the time-to-live for the host's designation as a Known
HSTS Host by manipulating the max-age header field parameter value
that is returned to the UA. If max-age is returned as zero, this
will cause the host to no longer be regarded as an Known HSTS Host
by the UA, leading to either insecure connections to the host or
possibly denial-of-service if the host delivers its services only
over secure transport.
However, this means that if a UA is "behind" a proxy -- within a
corporate intranet, for example -- and interacts with an unknown HSTS
Host beyond the proxy, the user will possibly be presented with the
legacy secure connection error dialogs. And even if the risk is
accepted and the user clicks-through, the host will not be noted as a
HSTS Host. Thus as long as the UA is behind such a proxy the user
will be vulnerable, and possibly be presented with the legacy secure
connection error dialogs for as yet unknown HSTS Hosts.
But once the UA successfully connects to an unknown HSTS Host over
error-free secure transport, the host will be noted as a Known HSTS
Host. This will result in the failure of subsequent connection
attempts from behind interfering proxies.
The above discussion relates to the recommendation in Section 11
"User Agent Implementation Advice" that the secure connection be
terminated with "no user recourse" whenever there are warnings and
errors and the host is a Known HSTS Host. Such a posture protects
users from "clicking through" security warnings and putting
themselves at risk.
Hodges, et al. Expires September 13, 2012 [Page 27]
Internet-Draft HTTP Strict Transport Security (HSTS) March 2012
14.2. The Need for includeSubDomains
Without the includeSubDomains directive, a web application would not
be able to adequately protect so-called "domain cookies" (even if
these cookies have their "Secure" flag set and thus are conveyed only
on secure channels). These are cookies the web application expects
UAs to return to any and all subdomains of the web application.
For example, suppose example.com represents the top-level DNS name
for a web application. Further suppose that this cookie is set for
the entire example.com domain, i.e. it is a "domain cookie", and it
has its Secure flag set. Suppose example.com is a Known HSTS Host
for this UA, but the includeSubDomains flag is not set.
Now, if an attacker causes the UA to request a subdomain name that is
unlikely to already exist in the web application, such as
"https://uxdhbpahpdsf.example.com/", but the attacker has established
somewhere and registered in the DNS, then:
1. The UA is unlikely to already have an HSTS policy established for
"uxdhbpahpdsf.example.com", and,
2. The HTTP request sent to uxdhbpahpdsf.example.com will include
the Secure-flagged domain cookie.
3. If "uxdhbpahpdsf.example.com" returns a certificate during TLS
establishment, and the user clicks through any warning that might
be annunciated (it is possible, but not certain, that one may
obtain a requisite certificate for such a domain name such that a
warning may or may not appear), then the attacker can obtain the
Secure-flagged domain cookie that's ostensibly being protected.
Without the "includeSubDomains" directive, HSTS is unable to protect
such Secure-flagged domain cookies.
14.3. Denial of Service
HSTS could be used to mount certain forms of Denial-of- Service (DoS)
attacks against web sites. A DoS attack is an attack in which one or
more network entities target a victim entity and attempt to prevent
the victim from doing useful work. This section discusses such
scenarios in terms of HSTS, though this list is not exhaustive. See
also [RFC4732] for a discussion of overall Internet DoS
considerations.
o Web applications available over HTTP
There is an opportunity for perpetrating DoS attacks with web
Hodges, et al. Expires September 13, 2012 [Page 28]
Internet-Draft HTTP Strict Transport Security (HSTS) March 2012
applications that are -- or critical portions of them are --
available only over HTTP without secure transport, if attackers
can cause UAs to set HSTS Policy for such web applications'
host(s).
This is because once the HSTS Policy is set for a web
application's host in a UA, the UA will only use secure transport
to communicate with the host. If the host is not using secure
transport, or is not for critical portions of its web application,
then the web application will be rendered unusable for the UA's
user.
An HSTS Policy can be set for a victim host in various ways:
* If the web application has a HTTP response splitting
vulnerability [CWE-113] (which can be abused in order to
facilitate "HTTP Header Injection").
* If an attacker can spoof a redirect from an insecure victim
site, e.g., <http://example.com/> to <httpS://example.com/>,
where the latter is attacker-controlled and has an apparently
valid certificate, then the attacker can set an HSTS Policy for
example.com, and also for all subdomains of example.com.
* If an attacker can convince users to manually configure HSTS
Policy for a victim host, assuming their UAs offer this
capability (see Section 11 "User Agent Implementation Advice").
Or if such UA configuration is scriptable, and the attacker can
cause UAs to execute his script.
o Inadvertent use of includeSubDomains
The includeSubDomains directive instructs UAs to automatically
regard all subdomains of the given HSTS Host as Known HSTS Hosts.
If any such subdomains do not support properly configured secure
transport, then they will be rendered unreachable from such UAs.
14.4. Bootstrap MITM Vulnerability
The bootstrap MITM (Man-In-The-Middle) vulnerability is a
vulnerability users and HSTS Hosts encounter in the situation where
the user manually enters, or follows a link, to an unknown HSTS Host
using a "http" URI rather than a "https" URI. Because the UA uses an
insecure channel in the initial attempt to interact with the
specified server, such an initial interaction is vulnerable to
various attacks [ForceHTTPS] .
Hodges, et al. Expires September 13, 2012 [Page 29]
Internet-Draft HTTP Strict Transport Security (HSTS) March 2012Camarillo, et al. Expires October 12, 2018 [Page 15]
Internet-Draft BFCP April 2018
control server. For session descriptions carried in SIP [3], S/MIME
[5] is the natural choice to provide such a channel.
16. IANA Considerations
[Editorial note: The changes in Section 16.1 instruct the IANA to
register the three new values TCP/DTLS/BFCP, UDP/BFCP and UDP/TLS/
BFCP for the SDP 'proto' field. The new section Section 16.6
registers a new SDP "bfcpver" attribute. The rest is unchanged
from [15].]
16.1. Registration of SDP 'proto' Values
The IANA has registered the following values for the SDP 'proto'
field under the Session Description Protocol (SDP) Parameters
registry:
+---------------+------------+
| Value | Reference |
+---------------+------------+
| TCP/BFCP | [RFC XXXX] |
| TCP/DTLS/BFCP | [RFC XXXX] |
| TCP/TLS/BFCP | [RFC XXXX] |
| UDP/BFCP | [RFC XXXX] |
| UDP/TLS/BFCP | [RFC XXXX] |
+---------------+------------+
Table 3: Values for the SDP 'proto' field
16.2. Registration of the SDP 'floorctrl' Attribute
The IANA has registered the following SDP att-field under the Session
Description Protocol (SDP) Parameters registry:
Contact name: iesg@ietf.org
Attribute name: floorctrl
Long-form attribute name: Floor Control
Type of attribute: Media level
Subject to charset: No
Purpose of attribute: The 'floorctrl' attribute is used to
perform floor control server determination.
Allowed attribute values: 1*("c-only" / "s-only" / "c-s")
Camarillo, et al. Expires October 12, 2018 [Page 16]
Internet-Draft BFCP April 2018
16.3. Registration of the SDP 'confid' Attribute
The IANA has registered the following SDP att-field under the Session
Description Protocol (SDP) Parameters registry:
Contact name: iesg@ietf.org
Attribute name: confid
Long-form attribute name: Conference Identifier
Type of attribute: Media level
Subject to charset: No
Purpose of attribute: The 'confid' attribute carries the
integer representation of a Conference ID.
Allowed attribute values: A token
16.4. Registration of the SDP 'userid' Attribute
The IANA has registered the following SDP att-field under the Session
Description Protocol (SDP) Parameters registry:
Contact name: iesg@ietf.org
Attribute name: userid
Long-form attribute name: User Identifier
Type of attribute: Media level
Subject to charset: No
Purpose of attribute: The 'userid' attribute carries the
integer representation of a User ID.
Allowed attribute values: A token
16.5. Registration of the SDP 'floorid' Attribute
The IANA has registered the following SDP att-field under the Session
Description Protocol (SDP) Parameters registry:
Contact name: iesg@ietf.org
Attribute name: floorid
Camarillo, et al. Expires October 12, 2018 [Page 17]
Internet-Draft BFCP April 2018
Long-form attribute name: Floor Identifier
Type of attribute: Media level
Subject to charset: No
Purpose of attribute: The 'floorid' attribute associates a
floor with one or more media streams.
Allowed attribute values: Tokens
16.6. Registration of the SDP 'bfcpver' Attribute
The IANA has registered the following SDP att-field under the Session
Description Protocol (SDP) Parameters registry:
Contact name: iesg@ietf.org
Attribute name: bfcpver
Long-form attribute name: BFCP Version
Type of attribute: Media level
Subject to charset: No
Purpose of attribute: The 'bfcpver' attribute lists supported
BFCP versions.
Allowed attribute values: Tokens
17. Changes from RFC 4583
Following is the list of technical changes and other fixes from [16].
Main purpose of this work was to add signaling support necessary to
support BFCP over unreliable transport, as described in [7],
resulting in the following changes:
1. Fields in the 'm' line (Section 3):
The section is re-written to remove reference to the exclusivity
of TCP as a transport for BFCP streams. The proto field values
TCP/DTLS/BFCP, UDP/BFCP and UDP/TLS/BFCP added.
2. Authentication (Section 11):
In last paragraph, made clear that a TCP connection was
described.
Camarillo, et al. Expires October 12, 2018 [Page 18]
Internet-Draft BFCP April 2018
3. Security Considerations (Section 15):
For the DTLS over UDP case, mention existing considerations and
requirements for the offer/answer exchange in [14].
4. Registration of SDP 'proto' Values (Section 16.1):
Register the three new values TCP/DTLS/BFCP, UDP/BFCP and
UDP/TLS/BFCP in the SDP parameters registry.
5. BFCP Version Negotiation (Section 8):
A new 'bfcpver' SDP media-level attribute is added in order to
signal supported version number.
Clarification and bug fixes:
1. Errata ID: 712 (Section 4 and Section 13):
Language clarification. Don't use terms like an SDP attribute is
"used in an 'm' line", instead make clear that the attribute is a
media-level attribute.
2. Fix typo in example (Section 14):
Do not use 'm-stream' in the SDP example, use the correct 'mstrm'
as specified in Section 14. Recommend interpreting 'm-stream' if
it is received, since it is present in some implementations.
3. Assorted clarifications (Across the document):
Language clarifications as a result of reviews. Also, the
normative language where tightened where appropriate, i.e.
changed from SHOULD strength to MUST in a number of places.
18. Acknowledgements
Joerg Ott, Keith Drage, Alan Johnston, Eric Rescorla, Roni Even, and
Oscar Novo provided useful ideas for the original [16]. The authors
also acknowledge contributions to the revision of BFCP for use over
an unreliable transport from Geir Arne Sandbakken, Charles Eckel,
Alan Ford, Eoin McLeod and Mark Thompson. Useful and important final
reviews were done by Ali C. Begen, Mary Barnes and Charles Eckel.
In the final stages, Roman Shpount made a considerable effort in
adding proper ICE support and considerations.
19. References
19.1. Normative References
[1] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, <https://www.rfc-
editor.org/info/rfc2119>.
Camarillo, et al. Expires October 12, 2018 [Page 19]
Internet-Draft BFCP April 2018
[2] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax
Specifications: ABNF", STD 68, RFC 5234,
DOI 10.17487/RFC5234, January 2008, <https://www.rfc-
editor.org/info/rfc5234>.
[3] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston,
A., Peterson, J., Sparks, R., Handley, M., and E.
Schooler, "SIP: Session Initiation Protocol", RFC 3261,
DOI 10.17487/RFC3261, June 2002, <https://www.rfc-
editor.org/info/rfc3261>.
[4] Rosenberg, J. and H. Schulzrinne, "An Offer/Answer Model
with Session Description Protocol (SDP)", RFC 3264,
DOI 10.17487/RFC3264, June 2002, <https://www.rfc-
editor.org/info/rfc3264>.
[5] Ramsdell, B. and S. Turner, "Secure/Multipurpose Internet
Mail Extensions (S/MIME) Version 3.2 Certificate
Handling", RFC 5750, DOI 10.17487/RFC5750, January 2010,
<https://www.rfc-editor.org/info/rfc5750>.
[6] Yon, D. and G. Camarillo, "TCP-Based Media Transport in
the Session Description Protocol (SDP)", RFC 4145,
DOI 10.17487/RFC4145, September 2005, <https://www.rfc-
editor.org/info/rfc4145>.
[7] Camarillo, G., Drage, K., Kristensen, T., Ott, J., and C.
Eckel, "The Binary Floor Control Protocol (BFCP)", draft-
ietf-bfcpbis-rfc4582bis-16 (work in progress), November
2015.
[8] Levin, O. and G. Camarillo, "The Session Description
Protocol (SDP) Label Attribute", RFC 4574,
DOI 10.17487/RFC4574, August 2006, <https://www.rfc-
editor.org/info/rfc4574>.
[9] Lennox, J. and C. Holmberg, "Connection-Oriented Media
Transport over the Transport Layer Security (TLS) Protocol
in the Session Description Protocol (SDP)", RFC 8122,
DOI 10.17487/RFC8122, March 2017, <https://www.rfc-
editor.org/info/rfc8122>.
[10] Handley, M., Jacobson, V., and C. Perkins, "SDP: Session
Description Protocol", RFC 4566, DOI 10.17487/RFC4566,
July 2006, <https://www.rfc-editor.org/info/rfc4566>.
Camarillo, et al. Expires October 12, 2018 [Page 20]
Internet-Draft BFCP April 2018
[11] Rescorla, E. and N. Modadugu, "Datagram Transport Layer
Security Version 1.2", RFC 6347, DOI 10.17487/RFC6347,
January 2012, <https://www.rfc-editor.org/info/rfc6347>.
[12] Lazzaro, J., "Framing Real-time Transport Protocol (RTP)
and RTP Control Protocol (RTCP) Packets over Connection-
Oriented Transport", RFC 4571, DOI 10.17487/RFC4571, July
2006, <https://www.rfc-editor.org/info/rfc4571>.
[13] Rosenberg, J., Keranen, A., Lowekamp, B., and A. Roach,
"TCP Candidates with Interactive Connectivity
Establishment (ICE)", RFC 6544, DOI 10.17487/RFC6544,
March 2012, <https://www.rfc-editor.org/info/rfc6544>.
[14] Holmberg, C. and R. Shpount, "Session Description Protocol
(SDP) Offer/Answer Considerations for Datagram Transport
Layer Security (DTLS) and Transport Layer Security (TLS)",
draft-ietf-mmusic-dtls-sdp-32 (work in progress), October
2017.
[15] Camarillo, G., Ott, J., and K. Drage, "The Binary Floor
Control Protocol (BFCP)", RFC 4582, DOI 10.17487/RFC4582,
November 2006, <https://www.rfc-editor.org/info/rfc4582>.
[16] Camarillo, G., "Session Description Protocol (SDP) Format
for Binary Floor Control Protocol (BFCP) Streams",
RFC 4583, DOI 10.17487/RFC4583, November 2006,
<https://www.rfc-editor.org/info/rfc4583>.
[17] Keranen, A., Holmberg, C., and J. Rosenberg, "Interactive
Connectivity Establishment (ICE): A Protocol for Network
Address Translator (NAT) Traversal", draft-ietf-ice-
rfc5245bis-20 (work in progress), March 2018.
[18] Petit-Huguenin, M., Nandakumar, S., and A. Keranen,
"Session Description Protocol (SDP) Offer/Answer
procedures for Interactive Connectivity Establishment
(ICE)", draft-ietf-mmusic-ice-sip-sdp-20 (work in
progress), April 2018.
19.2. Informational References
[19] Lennox, J., Ott, J., and T. Schierl, "Source-Specific
Media Attributes in the Session Description Protocol
(SDP)", RFC 5576, DOI 10.17487/RFC5576, June 2009,
<https://www.rfc-editor.org/info/rfc5576>.
Camarillo, et al. Expires October 12, 2018 [Page 21]
Note: There are various features/facilities that UA implementations
may employ in order to mitigate this vulnerability. Please
see Section 11 "User Agent Implementation Advice".
14.5. Network Time Attacks
Active network attacks can subvert network time protocols (such as
NTP) - making HSTS less effective against clients that trust NTP or
lack a real time clock. Network time attacks are beyond the scope of
this specification. Note that modern operating systems use NTP by
default. See also section 2.10 of [RFC4732].
14.6. Bogus Root CA Certificate Phish plus DNS Cache Poisoning Attack
If an attacker can convince users of, say, https://bank.example.com
(which is protected by HSTS Policy), to install their own version of
a root CA certificate purporting to be bank.example.com's CA, e.g.,
via a phishing email message with a link to such a certificate.
Then, if they can perform an attack on the users' DNS, (e.g., via
cache poisoning) and turn on HSTS Policy for their fake
bank.example.com site, then they have themselves some new users.
14.7. Creative Manipulation of HSTS Policy Store
Since an HSTS Host may select its own host name and subdomains
thereof, and this information is cached in the HSTS Policy store of
conforming UAs, it is possible for those who control a HSTS Host(s)
to encode information into domain names they control and cause such
UAs to cache this information as a matter of course in the process of
noting the HSTS Host. This information can be retrieved by other
hosts through clever loaded page construction causing the UA to send
queries to (variations of) the encoded domain names. Such queries
can reveal whether the UA had prior visited the original HSTS Host
(and subdomains).
Such a technique could potentially be abused as yet another form of
"web tracking" [WebTracking].
14.8. Internationalized Domain Names
Internet security relies in part on the DNS and the domain names it
hosts. Domain names are used by users to identify and connect to
Internet hosts and other network resources. For example, Internet
security is compromised if a user entering an internationalized
domain name (IDN) is connected to different hosts based on different
interpretations of the IDN.
The processing models specified in this specification assume that the
Hodges, et al. Expires September 13, 2012 [Page 30]
Internet-Draft HTTP Strict Transport Security (HSTS) March 2012
domain names they manipulate are IDNA-canonicalized, and that the
canonicalization process correctly performed all appropriate IDNA and
Unicode validations and character list testing per the requisite
specifications (e.g., as noted in Section 9 "Domain Name IDNA-
Canonicalization"). These steps are necessary in order to avoid
various potentially compromising situations.
In brief, some examples of issues that could stem from lack of
careful and consistent Unicode and IDNA validations are things such
as unexpected processing exceptions, truncation errors, and buffer
overflows, as well as false-positive and/or false-negative domain
name matching results. Any of the foregoing issues could possibly be
leveraged by attackers in various ways.
Additionally, IDNA2008 [RFC5890] differs from IDNA2003 [RFC3490] in
terms of disallowed characters and character mapping conventions.
This situation can also lead to false-positive and/or false-negative
domain name matching results, resulting in, for example, users
possibly communicating with unintended hosts, or not being able to
reach intended hosts.
For details, refer to the Security Considerations sections of
[RFC5890], [RFC5891], and [RFC3490], as well as the specifications
they normatively reference. Additionally, [RFC5894] provides
detailed background and rationale for IDNA2008 in particular, as well
as IDNA and its issues in general, and should be consulted in
conjunction with the former specifications.
15. IANA Considerations
Below is the Internet Assigned Numbers Authority (IANA) Provisional
Message Header Field registration information per [RFC3864].
Header field name: Strict-Transport-Security
Applicable protocol: HTTP
Status: provisional
Author/Change controller: TBD
Specification document(s): this one
16. References
16.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
Hodges, et al. Expires September 13, 2012 [Page 31]
Internet-Draft HTTP Strict Transport Security (HSTS) March 2012
[RFC2560] Myers, M., Ankney, R., Malpani, A., Galperin, S., and C.
Adams, "X.509 Internet Public Key Infrastructure Online
Certificate Status Protocol - OCSP", RFC 2560, June 1999.
[RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H.,
Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext
Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999.
[RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000.
[RFC3490] Faltstrom, P., Hoffman, P., and A. Costello,
"Internationalizing Domain Names in Applications (IDNA)",
RFC 3490, March 2003.
This specification is referenced due to its ongoing
relevance to actual deployments for the forseeable future.
[RFC3492] Costello, A., "Punycode: A Bootstring encoding of Unicode
for Internationalized Domain Names in Applications
(IDNA)", RFC 3492, March 2003.
This specification is referenced due to its ongoing
relevance to actual deployments for the forseeable future.
[RFC3864] Klyne, G., Nottingham, M., and J. Mogul, "Registration
Procedures for Message Header Fields", BCP 90, RFC 3864,
September 2004.
[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
Resource Identifier (URI): Generic Syntax", STD 66,
RFC 3986, January 2005.
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", RFC 5246, August 2008.
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 5280, May 2008.
[RFC5890] Klensin, J., "Internationalized Domain Names for
Applications (IDNA): Definitions and Document Framework",
RFC 5890, August 2010.
[RFC5891] Klensin, J., "Internationalized Domain Names in
Applications (IDNA): Protocol", RFC 5891, August 2010.
[RFC5894] Klensin, J., "Internationalized Domain Names for
Hodges, et al. Expires September 13, 2012 [Page 32]
Internet-Draft HTTP Strict Transport Security (HSTS) March 2012
Applications (IDNA): Background, Explanation, and
Rationale", RFC 5894, August 2010.
[RFC5895] Resnick, P. and P. Hoffman, "Mapping Characters for
Internationalized Domain Names in Applications (IDNA)
2008", RFC 5895, September 2010.
[UTS46] Davis, M. and M. Suignard, "Unicode IDNA Compatibility
Processing", Unicode Technical Standards # 46, 2010,
<http://unicode.org/reports/tr46/>.
[Unicode6]
The Unicode Consortium, "The Unicode Standard, Version 6.0
- Core Specification", Unicode 6.0.0, Mountain View, CA,
The Unicode Consortium ISBN 978-1-936213-01-6, 2011,
<http://www.unicode.org/versions/Unicode6.0.0/>.
16.2. Informative References
[Aircrack-ng]
d'Otreppe, T., "Aircrack-ng", Accessed: 11-Jul-2010,
<http://www.aircrack-ng.org/>.
[BeckTews09]
Beck, M. and E. Tews, "Practical Attacks Against WEP and
WPA", Second ACM Conference on Wireless Network
Security Zurich, Switzerland, 2009, <http://
wirelesscenter.dk/Crypt/wifi-security-attacks/
Practical%20Attacks%20Against%20WEP%20and%20WPA.pdf>.
[CWE-113] "CWE-113: Improper Neutralization of CRLF Sequences in
HTTP Headers ('HTTP Response Splitting')", Common Weakness
Enumeration <http://cwe.mitre.org/>, The Mitre
Corporation <http://www.mitre.org/>,
<http://cwe.mitre.org/data/definitions/113.html>.
[Firesheep]
Various, "Firesheep", Wikipedia Online, on-going,
<https://secure.wikimedia.org/wikipedia/en/wiki/
Firesheep>.
[ForceHTTPS]
Jackson, C. and A. Barth, "ForceHTTPS: Protecting High-
Security Web Sites from Network Attacks", In Proceedings
of the 17th International World Wide Web Conference
(WWW2008) , 2008,
<https://crypto.stanford.edu/forcehttps/>.
Internet-Draft BFCP April 2018
[20] Holmberg, C., Alvestrand, H., and C. Jennings,
"Negotiating Media Multiplexing Using the Session
Description Protocol (SDP)", draft-ietf-mmusic-sdp-bundle-
negotiation-49 (work in progress), March 2018.
[21] Nandakumar, S., "A Framework for SDP Attributes when
Multiplexing", draft-ietf-mmusic-sdp-mux-attributes-17
(work in progress), February 2018.
Authors' Addresses
Gonzalo Camarillo
Ericsson
Hirsalantie 11
FI-02420 Jorvas
Finland
Email: Gonzalo.Camarillo@ericsson.com
Tom Kristensen
Cisco
Philip Pedersens vei 1
NO-1366 Lysaker
Norway
Email: tomkrist@cisco.com, tomkri@ifi.uio.no
Christer Holmberg
Ericsson
Hirsalantie 11
Jorvas 02420
Finland
Email: christer.holmberg@ericsson.com
Camarillo, et al. Expires October 12, 2018 [Page 22]
Hodges, et al. Expires September 13, 2012 [Page 33]