[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] Strict-Transport-Security on https://www.paypal.com

From: Bil Corry <bil@xxxxxxxxx>
Subject: Re: [WEB SECURITY] Strict-Transport-Security on https://www.paypal.com
Date: Mon, 09 Nov 2009 23:04:37 -0800

Andy Steingruebl wrote on 11/7/2009 9:00 AM: 
> There are a few considerations on this though, especially if a few of
> the proposed features such as LockCA get added.  In that case you
> wouldn't necessarily want the max-age to be longer than your existing
> certificate lifetime, just in case you wanted to change CA's.  For 
> some people they won't worry about that (I don't) but other folks do 
> switch CAs periodically, so that is a concern.

One idea to consider, especially for LockCA[1], is to somehow denote that STS should expire at the same time as the cert, perhaps by omitting max-age or allowing max-age=cert, etc.  This will prevent accidentally causing STS to last longer or shorter than the cert expiration, especially when it's rotated out or revoked.


>> Is there a maximum number of cached entries for known STS servers?
>> If so, might an attacker with a large number of domains be able to
>> facilitate a 'STS eviction' attack?  If not, might an attacker be
>> able to fill the cache with lots of bogus entries, either causing a
>> performance issue when looking up legitimate sites or perhaps
>> consuming large quantity of drive space?
> 
> We expect this to be a browser implementation issue. The
> specification doesn't say there is a max limit.

There are a couple of implementations currently, it'd be interesting to hear how they handle the maximum number of cache entries.


>> What happens where there is more than one STS header?  Which one
>> prevails?
> 
> This will probably be in an updated version of the spec as Eric 
> Lawrence asked the same question.  We expect the last value would 
> prevail.  We could also specify that this is non-conformant, but 
> probably won't because of how people will likely implement this in 
> practice.

The first header is the most likely to be legitimate, might it be a safer choice?

And thank you for the detailed responses to the rest of my questions, I appreciate the effort all of you have put into STS.

- Bil

[1] STS and lockCA
    http://lists.w3.org/Archives/Public/public-webapps/2009OctDec/0014.html


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

Follow-Ups:
- Re: [WEB SECURITY] Strict-Transport-Security on https://www.paypal.com
  - From: Andy Steingruebl

References:
- [WEB SECURITY] Strict-Transport-Security on https://www.paypal.com
  - From: Andy Steingruebl
- Re: [WEB SECURITY] Strict-Transport-Security on https://www.paypal.com
  - From: Bil Corry
- Re: [WEB SECURITY] Strict-Transport-Security on https://www.paypal.com
  - From: Andy Steingruebl

Prev by Date: Re: [WEB SECURITY] Strict-Transport-Security on https://www.paypal.com
Next by Date: [WEB SECURITY] HPP protection
Previous by thread: Re: [WEB SECURITY] Strict-Transport-Security on https://www.paypal.com
Next by thread: Re: [WEB SECURITY] Strict-Transport-Security on https://www.paypal.com
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site