WEBSEC Working Group | J. Hodges |
Internet-Draft | PayPal |
Intended status: Standards Track | C. Jackson |
Expires: October 31, 2012 | Carnegie Mellon University |
A. Barth | |
Google, Inc. | |
May 2012 |
HTTP Strict Transport Security (HSTS)
draft-ietf-websec-strict-transport-sec-07
This specification defines a mechanism enabling Web sites to declare themselves accessible only via secure connections, and/or for users to be able to direct their user agent(s) to interact with given sites only over secure connections. This overall policy is referred to as HTTP Strict Transport Security (HSTS). The policy is declared by Web sites via the Strict-Transport-Security HTTP response header field, and/or by other means, such as user agent configuration, for example.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on October 31, 2012.
Copyright (c) 2012 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
The HTTP protocol [RFC2616] may be used over various transports, typically the Transmission Control Protocol (TCP). However, TCP does not provide channel integrity protection, confidentiality, nor secure host identification. Thus the Secure Sockets Layer (SSL) protocol [RFC6101] and its successor Transport Layer Security (TLS) [RFC5246], were developed in order to provide channel-oriented security, and are typically layered between application protocols and TCP. [RFC2818] specifies how HTTP is layered onto TLS, and defines the Uniform Resource Identifier (URI) scheme of "https" (in practice however, HTTP user agents (UAs) typically offer their users choices among SSL2, SSL3, and TLS for secure transport).
UAs employ various local security policies with respect to the characteristics of their interactions with web resources depending on (in part) whether they are communicating with a given web resource's host using HTTP or HTTP-over-a-Secure-Transport. For example, cookies ([RFC6265]) may be flagged as Secure. UAs are to send such Secure cookies to their addressed host only over a secure transport. This is in contrast to non-Secure cookies, which are returned to the host regardless of transport (although subject to other rules).
UAs typically announce to their users any issues with secure connection establishment, such as being unable to validate a TLS server certificate trust chain, or if a TLS server certificate is expired, or if a TLS host's domain name appears incorrectly in the TLS server certificate (see Section 3.1 of [RFC2818]). Often, UAs enable users to elect to continue to interact with a web resource's host in the face of such issues. This behavior is sometimes referred to as "click(ing) through" security [GoodDhamijaEtAl05] [SunshineEgelmanEtAl09], and thus can be described as "click-through insecurity".
A key vulnerability enabled by click-through insecurity is the leaking of any cookies the web resource may be using to manage a user's session. The threat here is that an attacker could obtain the cookies and then interact with the legitimate web resource while impersonating the user.
Jackson and Barth proposed an approach, in [ForceHTTPS], to enable web resources to declare that any interactions by UAs with the web resource must be conducted securely, and that any issues with establishing a secure transport session are to be treated as fatal and without direct user recourse. The aim is to prevent click-through insecurity, and address other potential threats.
This specification embodies and refines the approach proposed in [ForceHTTPS]. For example, rather than using a cookie to convey policy from a web resource's host to a UA, it defines an HTTP response header field for this purpose. Additionally, a web resource's host may declare its policy to apply to the entire domain name subtree rooted at its host name. This enables HSTS to protect so-called "domain cookies", which are applied to all subdomains of a given web resource's host name.
This specification also incorporates notions from [JacksonBarth2008] in that policy is applied on an "entire-host" basis: it applies to HTTP (only) over any TCP port of the issuing host.
Note that the policy defined by this specification is distinctly different than the "same-origin policy" defined in "The Web Origin Concept" [RFC6454]. These differences are summarized below in Appendix Appendix B.
This specification begins with an overview of the use cases, policy effects, threat models, and requirements for HSTS (in Section 2). Then, Section 3 defines conformance requirements. The HSTS mechanism itself is formally specified in Section 4 through Section 15.
This section discusses the use cases, summarizes the HTTP Strict Transport Security (HSTS) policy, and continues with a discussion of the threat model, non-addressed threats, and derived requirements.
The high-level use case is a combination of:
The effects of the HTTP Strict Transport Security (HSTS) Policy, as applied by a conformant UA in interactions with a web resource host wielding such policy (known as a HSTS Host), are summarized as follows:
HSTS is concerned with three threat classes: passive network attackers, active network attackers, and imperfect web developers. However, it is explicitly not a remedy for two other classes of threats: phishing and malware. Addressed and not addressed threats are briefly discussed below. Readers may wish refer to [ForceHTTPS] for details as well as relevant citations.
When a user browses the web on a local wireless network (e.g., an 802.11-based wireless local area network) a nearby attacker can possibly eavesdrop on the user's unencrypted Internet Protocol-based connections, such as HTTP, regardless of whether or not the local wireless network itself is secured [BeckTews09]. Freely available wireless sniffing toolkits (e.g., [Aircrack-ng]) enable such passive eavesdropping attacks, even if the local wireless network is operating in a secure fashion. A passive network attacker using such tools can steal session identifiers/cookies and hijack the user's web session(s), by obtaining cookies containing authentication credentials [ForceHTTPS]. For example, there exist widely-available tools, such as Firesheep (a Firefox extension) [Firesheep], which enable their wielder to obtain other local users' session cookies for various web applications.
To mitigate such threats, some Web sites support, but usually do not force, access using end-to-end secure transport -- e.g., signaled through URIs constructed with the "https" scheme [RFC2818]. This can lead users to believe that accessing such services using secure transport protects them from passive network attackers. Unfortunately, this is often not the case in real-world deployments as session identifiers are often stored in non-Secure cookies to permit interoperability with versions of the service offered over insecure transport ("Secure cookies" are those cookies containing the "Secure" attribute [RFC6265]). For example, if the session identifier for a web site (an email service, say) is stored in a non-Secure cookie, it permits an attacker to hijack the user's session if the user's UA makes a single insecure HTTP request to the site.
A determined attacker can mount an active attack, either by impersonating a user's DNS server or, in a wireless network, by spoofing network frames or offering a similarly-named evil twin access point. If the user is behind a wireless home router, an attacker can attempt to reconfigure the router using default passwords and other vulnerabilities. Some sites, such as banks, rely on end-to-end secure transport to protect themselves and their users from such active attackers. Unfortunately, browsers allow their users to easily opt-out of these protections in order to be usable for sites that incorrectly deploy secure transport, for example by generating and self-signing their own certificates (without also distributing their CA certificate to their users' browsers).
The security of an otherwise uniformly secure site (i.e. all of its content is materialized via "https" URIs), can be compromised completely by an active attacker exploiting a simple mistake, such as the loading of a cascading style sheet or a SWF movie over an insecure connection (both cascading style sheets and SWF movies can script the embedding page, to the surprise of many web developers, plus some browsers do not issue so-called "mixed content warnings" when SWF files are embedded via insecure connections). Even if the site's developers carefully scrutinize their login page for "mixed content", a single insecure embedding anywhere on the overall site compromises the security of their login page because an attacker can script (i.e., control) the login page by injecting script into another, insecurely loaded, site page.
Phishing attacks occur when an attacker solicits authentication credentials from the user by hosting a fake site located on a different domain than the real site, perhaps driving traffic to the fake site by sending a link in an email message. Phishing attacks can be very effective because users find it difficult to distinguish the real site from a fake site. HSTS is not a defense against phishing per se; rather, it complements many existing phishing defenses by instructing the browser to protect session integrity and long-lived authentication tokens [ForceHTTPS].
Because HSTS is implemented as a browser security mechanism, it relies on the trustworthiness of the user's system to protect the session. Malicious code executing on the user's system can compromise a browser session, regardless of whether HSTS is used.
This section identifies and enumerates various requirements derived from the use cases and the threats discussed above, and lists the detailed core requirements HTTP Strict Transport Security addresses, as well as ancillary requirements that are not directly addressed.
These core requirements are derived from the overall requirement, and are addressed by this specification.
These ancillary requirements are also derived from the overall requirement. They are not normatively addressed in this specification, but could be met by UA implementations at their implementor's discretion, although meeting these requirements may be complex.
This specification is written for hosts and user agents (UAs).
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
A conformant host is one that implements all the requirements listed in this specification that are applicable to hosts.
A conformant user agent is one that implements all the requirements listed in this specification that are applicable to user agents.
Terminology is defined in this section.
This section provides an overview of the mechanism by which an HSTS Host conveys its HSTS Policy to UAs, and how UAs process the HSTS Policies received from HSTS Hosts. The mechanism details are specified in Section 6 through Section 15.
An HSTS Host conveys its HSTS Policy to UAs via the Strict-Transport-Security HTTP response header field over secure transport (e.g., TLS). Receipt of this header field signals to UAs to enforce the HSTS Policy for all subsequent connections made to the HSTS Host, for a specified time duration. Application of the HSTS Policy to subdomains of the HSTS Host name may optionally be specified.
HSTS Hosts manage their advertised HSTS Policies by sending Strict-Transport-Security HTTP response header fields to UAs with new values for policy time duration and application to subdomains. UAs cache the "freshest" HSTS Policy information on behalf of an HSTS Host. Specifying a zero time duration signals to the UA to delete the HSTS policy for that HSTS host.
Section 6.2 presents examples of Strict-Transport-Security HTTP response header fields.
This section defines the syntax of the Strict-Transport-Security HTTP response header field and its directives, and presents some examples.
Section 7 "Server Processing Model" then details how hosts employ this header field to declare their HSTS Policy, and Section 8 "User Agent Processing Model" details how user agents process the header field and apply the HSTS Policy.
The Strict-Transport-Security HTTP response header field (STS header field) indicates to a UA that it MUST enforce the HSTS Policy in regards to the host emitting the response message containing this header field.
The ABNF syntax for the STS header field is given below. It is based on the Generic Grammar defined in Section 2 of [RFC2616] (which includes a notion of "implied linear whitespace", also known as "implied *LWS").
Strict-Transport-Security = "Strict-Transport-Security" ":" [ directive ] *( ";" [ directive ] ) directive = token [ "=" ( token | quoted-string ) ]
where:
token = <token, defined in [RFC2616], Section 2.2> quoted-string = <quoted-string, defined in [RFC2616], Section 2.2>
The two directives defined in this specification are described below. The overall requirements for directives are:
Additional directives extending the semantic functionality of the STS header field can be defined in other specifications (which "update" this specification).
The REQUIRED "max-age" directive specifies the number of seconds, after the reception of the STS header field, during which the UA regards the host (from whom the message was received) as a Known HSTS Host. See also Section 8.1.1 "Noting a HSTS Host". The delta-seconds production is specified in [RFC2616].
max-age-value = delta-seconds delta-seconds = <1*DIGIT, defined in [RFC2616], Section 3.3.2>
The syntax of the max-age directive's value (after quoted-string unescaping, if necessary) is defined as:
The OPTIONAL "includeSubDomains" directive is a valueless flag which, if present, signals to the UA that the HSTS Policy applies to this HSTS Host as well as any subdomains of the host's domain name.
Strict-Transport-Security: max-age=31536000
The below HSTS header field stipulates that the HSTS policy is to remain in effect for one year (there are approximately 31 536 000 seconds in a year), and the policy applies only to the domain of the HSTS Host issuing it:
Strict-Transport-Security: max-age=15768000 ; includeSubDomains
The below HSTS header field stipulates that the HSTS policy is to remain in effect for approximately six months and the policy applies only to the domain of the issuing HSTS Host and all of its subdomains:
Strict-Transport-Security: max-age="31536000"
The max-age directive value can optionally be quoted:
This section describes the processing model that HSTS Hosts implement. The model is comprised of two facets: the first being the processing rules for HTTP request messages received over a secure transport (e.g., TLS [RFC5246], SSL [I-D.ietf-tls-ssl-version3], or perhaps others), the second being the processing rules for HTTP request messages received over non-secure transports, i.e. over TCP/IP.
When replying to an HTTP request that was conveyed over a secure transport, a HSTS Host SHOULD include in its response message a STS header field that MUST satisfy the grammar specified above in Section 6.1 "Strict-Transport-Security HTTP Response Header Field". If a STS header field is included, the HSTS Host MUST include only one such header field.
If a HSTS Host receives a HTTP request message over a non-secure transport, it SHOULD send a HTTP response message containing a status code indicating a permanent redirect, such as status code 301 (Section 10.3.2 of [RFC2616]), and a Location header field value containing either the HTTP request's original Effective Request URI (see Section 12 "Constructing an Effective Request URI") altered as necessary to have a URI scheme of "https", or a URI generated according to local policy (which SHOULD employ a URI scheme of "https").
A HSTS Host MUST NOT include the STS header field in HTTP responses conveyed over non-secure transport.
This section describes the HTTP Strict Transport Security processing model for UAs. There are several facets to the model, enumerated by the following subsections.
This processing model assumes that the UA implements IDNA2008 [RFC5890], or possibly IDNA2003 [RFC3490], as noted in Section 13 "Internationalized Domain Names for Applications (IDNA): Dependency and Migration". It also assumes that all domain names manipulated in this specification's context are already IDNA-canonicalized as outlined in Section 9 "Domain Name IDNA-Canonicalization" prior to the processing specified in this section.
The above assumptions mean that this processing model also specifically assumes that appropriate IDNA and Unicode validations and character list testing have occurred on the domain names, in conjunction with their IDNA-canonicalization, prior to the processing specified in this section. See the IDNA-specific security considerations in Section 14.8 "Internationalized Domain Names" for rationale and further details.
If an HTTP response, received over a secure transport, includes a STS header field, conforming to the grammar specified in Section 6.1 "Strict-Transport-Security HTTP Response Header Field", and there are no underlying secure transport errors or warnings (see Section 8.4), the UA MUST either:
or,
Otherwise:
If the substring matching the host production from the Request-URI (of the message that the host responded to) syntactically matches the IP-literal or IPv4address productions from Section 3.2.2 of [RFC3986], then the UA MUST NOT note this host as a Known HSTS Host.
Otherwise, if the substring does not congruently match a Known HSTS Host's domain name, per the matching procedure specified in Section 8.2 "Known HSTS Host Domain Name Matching", then the UA MUST note this host as a Known HSTS Host, caching the HSTS Host's domain name and noting along with it the expiry time of this information, as effectively stipulated per the given max-age value, as well as whether the includeSubDomains flag is asserted or not. See also Section 10.1 "HSTS Policy expiration time considerations".
A given domain name may match a Known HSTS Host's domain name in one or both of two fashions: a congruent match, or a superdomain match. Or, there may be no match.
The below steps determine whether there are any matches, and if so, of which fashion:
Given Domain Name: qaz.bar.foo.example.com Superdomain matched Known HSTS Host DN: bar.foo.example.com Superdomain matched Known HSTS Host DN: foo.example.com
Given Domain Name: foo.example.com Congruently matched Known HSTS Host DN: foo.example.com
Whenever the UA prepares to "load", also known as "dereference", any "http" URI [RFC3986], the UA MUST first determine whether a domain name is given in the URI and whether it matches a Known HSTS Host, using these steps:
If a superdomain match with an asserted includeSubDomains flag is found, or if a congruent match is found -- without any found superdomain matches having asserted includeSubDomains flags -- then before proceeding with the load:
When connecting to a Known HSTS Host, the UA MUST terminate the connection (see also Section 11 "User Agent Implementation Advice") if there are any errors (e.g., certificate errors), whether "warning" or "fatal" or any other error level, with the underlying secure transport. This includes any issues with certificate revocation checking whether via the Certificate Revocation List (CRL) [RFC5280], or via the Online Certificate Status Protocol (OCSP) [RFC2560].
UAs MUST NOT heed http-equiv="Strict-Transport-Security" attribute settings on <meta> elements [W3C.REC-html401-19991224] in received content.
If a UA receives HTTP responses from a Known HSTS Host over a secure channel, but they are missing the STS header field, the UA MUST continue to treat the host as a Known HSTS Host until the max-age value for the knowledge of that Known HSTS Host is reached. Note that the max-age could be infinite for a given Known HSTS Host. For example, if the Known HSTS Host is part of a pre-configured list that is implemented such that the list entries never "age out".
An IDNA-canonicalized domain name is the output string generated by the following steps. The input is a putative domain name string ostensibly composed of any combination of "A-labels", "U-labels", and "NR-LDH labels" (see Section 2 of [RFC5890]) concatenated using some separator character (typically ".").
Section 13 "Internationalized Domain Names for Applications (IDNA): Dependency and Migration" and Section 14.8 "Internationalized Domain Names" of this specification for further details and considerations.
See also
This section is non-normative.
Server implementations and deploying web sites need to consider whether they are setting an expiry time that is a constant value into the future, or whether they are setting an expiry time that is a fixed point in time.
The constant value into the future approach can be accomplished by constantly sending the same max-age value to UAs.
Strict-Transport-Security: max-age=778000
For example, a max-age value of 778000 is 90 days:
The fixed point in time approach can be accomplished by sending max-age values that represent the remaining time until the desired expiry time. This would require the HSTS Host to send a newly-calculated max-age value on each HTTP response.
A consideration here is whether a deployer wishes to have the signaled HSTS Policy expiry time match that for the web site's domain certificate.
Additionally, server implementers should consider employing a default max-age value of zero in their deployment configuration systems. This will require deployers to wilfully set max-age in order to have UAs enforce the HSTS Policy for their host, and protects them from inadvertently enabling HSTS with some arbitrary non-zero duration.
If a web site/organization/enterprise is generating their own secure transport public-key certificates for web sites, and that organization's root certification authority (CA) certificate is not typically embedded by default in browser and/or operating system CA certificate stores, and if HSTS Policy is enabled on a host identifying itself using a certificate signed by the organization's CA (i.e., a "self-signed certificate"), and this certificate does not match a usable TLS certificate association (as defined by Section 4 of the TLSA protocol specification [I-D.ietf-dane-protocol]), then secure connections to that site will fail, per the HSTS design. This is to protect against various active attacks, as discussed above.
However, if said organization wishes to employ their own CA, and self-signed certificates, in concert with HSTS, they can do so by deploying their root CA certificate to their users' browsers or operating system CA root certificate stores. They can also, in addition or instead, distribute to their users' browsers the end-entity certificate(s) for specific hosts. There are various ways in which this can be accomplished (details are out of scope for this specification). Once their root CA certificate is installed in the browsers, they may employ HSTS Policy on their site(s).
Alternately, that organization can deploy the TLSA protocol; all browsers that also use TLSA will then be able to trust the certificates identified by usable TLS certificate associations as denoted via TLSA.
The includeSubDomains directive has some practical implications -- for example, if a HSTS Host offers HTTP-based services on various ports or at various subdomains of its host domain name, then they will all have to be available over secure transport in order to work properly.
For example, certification authorities often offer their CRL distribution and OCSP services [RFC2560] over plain HTTP, and sometimes at a subdomain of a publicly-available web application which may be secured by TLS/SSL. For example, <https://example-ca.com/> is a publicly-available web application for "Example CA", a certification authority. Customers use this web application to register their public keys and obtain certificates. Example CA generates certificates for customers containing <http://crl-and-ocsp.example-ca.com/> as the value for the "CRL Distribution Points" and "Authority Information Access:OCSP" certificate fields.
If example-ca.com were to issue an HSTS Policy with the includeSubDomains directive, then HTTP-based user agents implementing HSTS, and that have interacted with the example-ca.com web application, would fail to retrieve CRLs and fail to check OCSP for certificates because these services are offered over plain HTTP.
In this case, Example CA can either:
This section is non-normative.
In order to provide users and web sites more effective protection, as well as controls for managing their UA's caching of HSTS Policy, UA implementors should consider including features such as:
Failing secure connection establishment on any warnings or errors (per Section 8.4 "Errors in Secure Transport Establishment"), should be done with "no user recourse". This means that the user should not be presented with a dialog giving her the option to proceed. Rather, it should be treated similarly to a server error where there is nothing further the user can do with respect to interacting with the target web application, other than wait and re-try.
Essentially, "any warnings or errors" means anything that would cause the UA implementation to announce to the user that something is not entirely correct with the connection establishment.
Not doing this, i.e., allowing user recourse such as "clicking-through warning/error dialogs", is a recipe for a Man-in-the-Middle attack. If a web application advertises HSTS, then it is opting into this scheme, whereby all certificate errors or warnings cause a connection termination, with no chance to "fool" the user into making the wrong decision and compromising themselves.
A User-declared HSTS Policy is the ability for users to explicitly declare a given Domain Name as representing a HSTS Host, thus seeding it as a Known HSTS Host before any actual interaction with it. This would help protect against the Section 14.4 "Bootstrap MITM Vulnerability".
A HSTS Pre-Loaded List is a facility whereby web site administrators can have UAs pre-configured with HSTS Policy for their site(s) by the UA vendor(s) -- a so-called "pre-loaded list" -- in a manner similar to how root CA certificates are embedded in browsers "at the factory". This would help protect against the Section 14.4 "Bootstrap MITM Vulnerability".
"Mixed security context" loads are when an web application resource, fetched by the UA over a secure transport, subsequently fetches and loads one or more other resources without using secure transport. This is also generally referred to as "mixed content" loads (see Section 5.3 "Mixed Content" in [W3C.REC-wsc-ui-20100812]), but should not be confused with the same "mixed content" term that is also used in the context of markup languages such as XML and HTML.
HSTS Policy Deletion is the ability to delete a UA's cached HSTS Policy on a per HSTS Host basis.
This section specifies how an HSTS Host must construct the Effective Request URI for a received HTTP request.
HTTP requests often do not carry an absoluteURI for the target resource; instead, the URI needs to be inferred from the Request-URI, Host header field, and connection context ([RFC2616], Sections 3.2.1 and 5.1.2). The result of this process is called the "effective request URI (ERU)". The "target resource" is the resource identified by the effective request URI.
Request-Line = Method SP Request-URI SP HTTP-Version CRLF
Request-URI = "*" | absoluteURI | abs_path | authority
Host = "Host" ":" host [ ":" port ]
The first line of an HTTP request message, Request-Line, is specified by the following ABNF from [RFC2616], Section 5.1: [RFC2616], Section 5.1.2: [RFC2616], Section 14.23:
If the Request-URI is an absoluteURI, then the effective request URI is the Request-URI.
If the Request-URI uses the abs_path form or the asterisk form, and the Host header field is present, then the effective request URI is constructed by concatenating:
If the Request-URI uses the abs_path form or the asterisk form, and the Host header field is not present, then the effective request URI is undefined.
Otherwise, when Request-URI uses the authority form, the effective request URI is undefined.
Effective request URIs are compared using the rules described in [RFC2616] Section 3.2.3, except that empty path components MUST NOT be treated as equivalent to an absolute path of "/".
Example 1: the effective request URI for the message
GET /pub/WWW/TheProject.html HTTP/1.1 Host: www.example.org:8080
(received over an insecure TCP connection) is "http", plus "://", plus the authority component "www.example.org:8080", plus the request-target "/pub/WWW/TheProject.html". Thus it is: "http://www.example.org:8080/pub/WWW/TheProject.html".
Example 2: the effective request URI for the message
OPTIONS * HTTP/1.1 Host: www.example.org
(received over an SSL/TLS secured TCP connection) is "https", plus "://", plus the authority component "www.example.org". Thus it is: "https://www.example.org".
Textual domain names on the modern Internet may contain one or more "internationalized" domain name labels. Such domain names are referred to as "internationalized domain names" (IDNs). The specification suites defining IDNs and the protocols for their use are named "Internationalized Domain Names for Applications (IDNA)". At this time, there are two such specification suites: IDNA2008 [RFC5890] and its predecessor IDNA2003 [RFC3490].
IDNA2008 obsoletes IDNA2003, but there are differences between the two specifications, and thus there can be differences in processing (e.g., converting) domain name labels that have been registered under one from those registered under the other. There will be a transition period of some time during which IDNA2003-based domain name labels will exist in the wild. User agents SHOULD implement IDNA2008 [RFC5890] and MAY implement [RFC5895] (see also Section 7 of [RFC5894]) or [UTS46] in order to facilitate their IDNA transition. If a user agent does not implement IDNA2008, the user agent MUST implement IDNA2003.
The User Agent Processing Model defined in Section 8, stipulates that a host is initially noted as a Known HSTS Host, or that updates are made to a Known HSTS Host's cached information, only if the UA receives the STS header field over a secure transport connection having no underlying secure transport errors or warnings.
The rationale behind this is that if there is a man-in-the-middle (MITM) -- whether a legitimately deployed proxy or an illegitimate entity -- it could cause various mischief (see also Appendix Appendix A "Design Decision Notes", item [design-hsts-policy-no-sec-trans-errors], as well as Section 14.4 "Bootstrap MITM Vulnerability" ), for example:
However, this means that if a UA is "behind" a proxy -- within a corporate intranet, for example -- and interacts with an unknown HSTS Host beyond the proxy, the user will possibly be presented with the legacy secure connection error dialogs. And even if the risk is accepted and the user clicks-through, the host will not be noted as a HSTS Host. Thus as long as the UA is behind such a proxy the user will be vulnerable, and possibly be presented with the legacy secure connection error dialogs for as yet unknown HSTS Hosts.
But once the UA successfully connects to an unknown HSTS Host over error-free secure transport, the host will be noted as a Known HSTS Host. This will result in the failure of subsequent connection attempts from behind interfering proxies.
The above discussion relates to the recommendation in Section 11 "User Agent Implementation Advice" that the secure connection be terminated with "no user recourse" whenever there are warnings and errors and the host is a Known HSTS Host. Such a posture protects users from "clicking through" security warnings and putting themselves at risk.
Without the includeSubDomains directive, a web application would not be able to adequately protect so-called "domain cookies" (even if these cookies have their "Secure" flag set and thus are conveyed only on secure channels). These are cookies the web application expects UAs to return to any and all subdomains of the web application.
For example, suppose example.com represents the top-level DNS name for a web application. Further suppose that this cookie is set for the entire example.com domain, i.e. it is a "domain cookie", and it has its Secure flag set. Suppose example.com is a Known HSTS Host for this UA, but the includeSubDomains flag is not set.
Now, if an attacker causes the UA to request a subdomain name that is unlikely to already exist in the web application, such as "https://uxdhbpahpdsf.example.com/", but the attacker has established somewhere and registered in the DNS, then:
Without the "includeSubDomains" directive, HSTS is unable to protect such Secure-flagged domain cookies.
HSTS could be used to mount certain forms of Denial-of- Service (DoS) attacks against web sites. A DoS attack is an attack in which one or more network entities target a victim entity and attempt to prevent the victim from doing useful work. This section discusses such scenarios in terms of HSTS, though this list is not exhaustive. See also [RFC4732] for a discussion of overall Internet DoS considerations.
The bootstrap MITM (Man-In-The-Middle) vulnerability is a vulnerability users and HSTS Hosts encounter in the situation where the user manually enters, or follows a link, to an unknown HSTS Host using a "http" URI rather than a "https" URI. Because the UA uses an insecure channel in the initial attempt to interact with the specified server, such an initial interaction is vulnerable to various attacks [ForceHTTPS] .
Active network attacks can subvert network time protocols (such as NTP [RFC5905]) - making HSTS less effective against clients that trust NTP or lack a real time clock. Network time attacks are beyond the scope of this specification. Note that modern operating systems use NTP by default. See also Section 2.10 of [RFC4732].
If an attacker can convince users of, say, https://bank.example.com (which is protected by HSTS Policy), to install their own version of a root CA certificate purporting to be bank.example.com's CA, e.g., via a phishing email message with a link to such a certificate. Then, if they can perform an attack on the users' DNS, (e.g., via cache poisoning) and turn on HSTS Policy for their fake bank.example.com site, then they have themselves some new users.
Since an HSTS Host may select its own host name and subdomains thereof, and this information is cached in the HSTS Policy store of conforming UAs, it is possible for those who control a HSTS Host(s) to encode information into domain names they control and cause such UAs to cache this information as a matter of course in the process of noting the HSTS Host. This information can be retrieved by other hosts through clever loaded page construction causing the UA to send queries to (variations of) the encoded domain names. Such queries can reveal whether the UA had prior visited the original HSTS Host (and subdomains).
Such a technique could potentially be abused as yet another form of "web tracking" [WebTracking].
Internet security relies in part on the DNS and the domain names it hosts. Domain names are used by users to identify and connect to Internet hosts and other network resources. For example, Internet security is compromised if a user entering an internationalized domain name (IDN) is connected to different hosts based on different interpretations of the IDN.
The processing models specified in this specification assume that the domain names they manipulate are IDNA-canonicalized, and that the canonicalization process correctly performed all appropriate IDNA and Unicode validations and character list testing per the requisite specifications (e.g., as noted in Section 9 "Domain Name IDNA-Canonicalization"). These steps are necessary in order to avoid various potentially compromising situations.
In brief, some examples of issues that could stem from lack of careful and consistent Unicode and IDNA validations are things such as unexpected processing exceptions, truncation errors, and buffer overflows, as well as false-positive and/or false-negative domain name matching results. Any of the foregoing issues could possibly be leveraged by attackers in various ways.
Additionally, IDNA2008 [RFC5890] differs from IDNA2003 [RFC3490] in terms of disallowed characters and character mapping conventions. This situation can also lead to false-positive and/or false-negative domain name matching results, resulting in, for example, users possibly communicating with unintended hosts, or not being able to reach intended hosts.
For details, refer to the Security Considerations sections of [RFC5890], [RFC5891], and [RFC3490], as well as the specifications they normatively reference. Additionally, [RFC5894] provides detailed background and rationale for IDNA2008 in particular, as well as IDNA and its issues in general, and should be consulted in conjunction with the former specifications.
Below is the Internet Assigned Numbers Authority (IANA) Permanent Message Header Field registration information per [RFC3864].
Header field name: Strict-Transport-Security Applicable protocol: HTTP Status: standard Author/Change controller: IETF Specification document(s): this one
[RFC1035] | Mockapetris, P., "Domain names - implementation and specification", STD 13, RFC 1035, November 1987. |
[RFC4732] | Handley, M., Rescorla, E., IAB, "Internet Denial-of-Service Considerations", RFC 4732, December 2006. |
[RFC4949] | Shirey, R., "Internet Security Glossary, Version 2", RFC 4949, August 2007. |
[RFC5905] | Mills, D., Martin, J., Burbank, J. and W. Kasch, "Network Time Protocol Version 4: Protocol and Algorithms Specification", RFC 5905, June 2010. |
[RFC6101] | Freier, A., Karlton, P. and P. Kocher, "The Secure Sockets Layer (SSL) Protocol Version 3.0", RFC 6101, August 2011. |
[RFC6265] | Barth, A., "HTTP State Management Mechanism", RFC 6265, April 2011. |
[RFC6454] | Barth, A., "The Web Origin Concept", RFC 6454, December 2011. |
[Aircrack-ng] | d'Otreppe, T, "Aircrack-ng ", Accessed: 11-Jul-2010, . |
[BeckTews09] | Beck, M and E Tews, "Practical Attacks Against WEP and WPA ", Second ACM Conference on Wireless Network Security Zurich, Switzerland, 2009. |
[CWE-113] | CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')", Common Weakness Enumeration <http://cwe.mitre.org/>, The Mitre Corporation <http://www.mitre.org/>, . | , "
[Firesheep] | Various, , "Firesheep ", Wikipedia Online, on-going. |
[ForceHTTPS] | Jackson, C and A Barth, "ForceHTTPS: Protecting High-Security Web Sites from Network Attacks ", In Proceedings of the 17th International World Wide Web Conference (WWW2008) , 2008. |
[GoodDhamijaEtAl05] | Good, N, Dhamija, R, Grossklags, J, Thaw, D, Aronowitz, S, Mulligan, D and J Konstan, "Stopping Spyware at the Gate: A User Study of Privacy, Notice and Spyware ", In Proceedings of Symposium On Usable Privacy and Security (SOUPS) Pittsburgh, PA, USA, July 2005. |
[JacksonBarth2008] | Jackson, C and A Barth, "Beware of Finer-Grained Origins ", Web 2.0 Security and Privacy Oakland, CA, USA, 2008. |
[I-D.ietf-tls-ssl-version3] |
Freier, A, Karlton, P and P Kocher, "The SSL Protocol Version 3.0 ", Internet-Draft draft-ietf-tls-ssl-version3-00, November 1996. This is the canonical reference for SSLv3.0. |
[SunshineEgelmanEtAl09] | Sunshine, J, Egelman, S, Almuhimedi, H, Atri, N and L Cranor, "Crying Wolf: An Empirical Study of SSL Warning Effectiveness ", In Proceedings of 18th USENIX Security Symposium Montreal, Canada, Augus 2009. |
[owaspTLSGuide] | Coates, M, Wichers, d, Boberski, M and T Reguly, "Transport Layer Protection Cheat Sheet ", Accessed: 11-Jul-2010, . |
[WebTracking] | Schmucker, N., "Web Tracking", SNET2 Seminar Paper Summer Term, 2011. |
[W3C.REC-wsc-ui-20100812] | Saldhana, A. and T. Roessler, "Web Security Context: User Interface Guidelines", World Wide Web Consortium Recommendation REC-wsc-ui-20100812, August 2010. |
[WEBSEC] |
WebSec -- HTTP Application Security Minus Authentication and Transport", . Mailing list for IETF WebSec Working Group. [RFCEditor: please remove this reference upon publication as an RFC.] | , "
This appendix documents various design decisions.
HSTS Policy has the following primary characteristics:
In contrast, the Same-Origin Policy (SOP) [RFC6454] has the following primary characteristics:
In summary, although both HSTS Policy and SOP are enforced by UAs, HSTS Policy is optionally declared by hosts and is not origin-based, while the SOP applies to all resource representations loaded from all hosts by conformant UAs.
The authors thank Devdatta Akhawe, Michael Barrett, Tobias Gondrom, Paul Hoffman, Murray Kucherawy, James Manger, Alexey Melnikov, Yoav Nir, Laksh Raghavan, Marsh Ray, Julian Reschke, Tom Ritter, Peter Saint-Andre, Sid Stamm, Maciej Stachowiak, Andy Steingrubl, Brandon Sterne, Martin Thomson, Daniel Veditz, as well as all the websec working group participants and others for their review and contributions.
Thanks to Julian Reschke for his elegant re-writing of the effective request URI text, which he did when incorporating the ERU notion into the HTTPbis work. Subsequently, the ERU text in this spec was lifted from Julian's work in [I-D.draft-ietf-httpbis-p1-messaging-17] and adapted to the [RFC2616] ABNF.
[RFCEditor: please remove this section upon publication as an RFC.]
Changes are grouped by spec revision listed in reverse issuance order.