HSTS Fingerprinting. from Mike West on 2019-09-18 (ietf-http-wg@w3.org from July to September 2019)

From: Mike West <mkwst@google.com>
Date: Wed, 18 Sep 2019 10:10:18 +0900
To: HTTP Working Group <ietf-http-wg@w3.org>
Cc: Mark Nottingham <mnot@mnot.net>, John Wilander <wilander@apple.com>, Jeff Hodges <jdhodges@google.com>
Message-ID: <CAKXHy=eh2JzMdKUFFKataSfomfQUcNc4kVhiRbjevQogEspvYA@mail.gmail.com>

A year or two ago, +John Wilander <wilander@apple.com> and others at Apple
proposed some changes to HSTS in
https://webkit.org/blog/8146/protecting-against-hsts-abuse/ that went some
way towards mitigating the abuses documented in Section 14.9 of RFC6797
<https://tools.ietf.org/html/rfc6797#section-14.9>. Given some shifts in
the way we're thinking about some other concepts, I've written up a short
proposal at https://github.com/mikewest/strict-navigation-security that
builds upon and simplifies Apple's proposal. We discussed it briefly at
yesterday's webappsec meeting
<https://github.com/w3c/webappsec/blob/master/meetings/2019/2019-09-TPAC-minutes.md#hsts-fingerprinting>,
and there seems to be interest in doing something in this space.

+Mark Nottingham <mnot@mnot.net> and +Jeff Hodges
<jdhodges@google.com> suggested
that I loop this group into that conversation, as the original websec group
has disbanded. Is it a topic this group would like to pick up? If not,
would y'all be comfortable with us defining some web browser behavior/Fetch
integration in webappsec that constrains the existing RFC?

Thanks!

-mike

Received on Wednesday, 18 September 2019 01:10:54 UTC