One document matched: draft-ietf-websec-strict-transport-sec-02.xml
<?xml version="1.0" encoding="UTF-8"?>
<!-- <?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?> -->
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!ENTITY RFC.793 PUBLIC ""
"http://xml.resource.org/public/rfc/bibxml/reference.RFC.0793.xml">
<!ENTITY RFC.1035 PUBLIC ""
"http://xml.resource.org/public/rfc/bibxml/reference.RFC.1035.xml">
<!ENTITY RFC.1594 PUBLIC ""
"http://xml.resource.org/public/rfc/bibxml/reference.RFC.1594.xml">
<!ENTITY RFC.1983 PUBLIC ""
"http://xml.resource.org/public/rfc/bibxml/reference.RFC.1983.xml">
<!ENTITY RFC.2109 PUBLIC ""
"http://xml.resource.org/public/rfc/bibxml/reference.RFC.2109.xml">
<!ENTITY RFC.2119 PUBLIC ""
"http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml">
<!ENTITY RFC.2560 PUBLIC ""
"http://xml.resource.org/public/rfc/bibxml/reference.RFC.2560.xml">
<!ENTITY RFC.2396 PUBLIC ""
"http://xml.resource.org/public/rfc/bibxml/reference.RFC.2396.xml">
<!ENTITY RFC.2616 PUBLIC ""
"http://xml.resource.org/public/rfc/bibxml/reference.RFC.2616.xml">
<!ENTITY RFC.2818 PUBLIC ""
"http://xml.resource.org/public/rfc/bibxml/reference.RFC.2818.xml">
<!ENTITY RFC.2965 PUBLIC ""
"http://xml.resource.org/public/rfc/bibxml/reference.RFC.2965.xml">
<!ENTITY RFC.3454 PUBLIC ""
"http://xml.resource.org/public/rfc/bibxml/reference.RFC.3454.xml">
<!ENTITY RFC.3490 PUBLIC ""
"http://xml.resource.org/public/rfc/bibxml/reference.RFC.3490.xml">
<!ENTITY RFC.3492 PUBLIC ""
"http://xml.resource.org/public/rfc/bibxml/reference.RFC.3492.xml">
<!ENTITY RFC.3864 PUBLIC ""
"http://xml.resource.org/public/rfc/bibxml/reference.RFC.3864.xml">
<!ENTITY RFC.3986 PUBLIC ""
"http://xml.resource.org/public/rfc/bibxml/reference.RFC.3986.xml">
<!ENTITY RFC.4346 PUBLIC ""
"http://xml.resource.org/public/rfc/bibxml/reference.RFC.4346.xml">
<!ENTITY RFC.4949 PUBLIC ""
"http://xml.resource.org/public/rfc/bibxml/reference.RFC.4949.xml">
<!ENTITY RFC.5280 PUBLIC ""
"http://xml.resource.org/public/rfc/bibxml/reference.RFC.5280.xml">
<!ENTITY I-D.draft-ietf-httpbis-p1-messaging-09 PUBLIC ""
"http://xml.resource.org/public/rfc/bibxml3/reference.I-D.draft-ietf-httpbis-p1-messaging-15">
<!ENTITY W3C.WD-html5-20100304 PUBLIC ""
"http://xml.resource.org/public/rfc/bibxml4/reference.W3C.WD-html5-20100304">
<!ENTITY W3C.WD-wsc-ui-20100309 PUBLIC ""
"http://xml.resource.org/public/rfc/bibxml4/reference.W3C.WD-wsc-ui-20100309">
]>
<!-- PROCESSING INSTRUCTIONS -->
<?rfc toc="yes" ?>
<?rfc symrefs="yes" ?>
<?rfc sortrefs="yes"?>
<?rfc iprnotified="no" ?>
<?rfc strict="yes" ?>
<?rfc compact="yes"?>
<?rfc subcompact="no"?>
<?rfc comments="yes"?>
<?rfc inline="yes" ?>
<?rfc tocdepth="4"?>
<!--
This .xml file intended to be processed by xml2rfc
http://xml.resource.org/
source filename: draft-ietf-websec-strict-transport-sec-02.xml
-->
<rfc category="std" ipr="trust200902"
docName="draft-ietf-websec-strict-transport-sec-02">
<front>
<title>HTTP Strict Transport Security (HSTS)</title>
<author initials="J." surname="Hodges" fullname="Jeff Hodges">
<organization>PayPal</organization>
<address>
<postal>
<street>2211 North First Street</street>
<city>San Jose</city>
<region>California</region>
<code>95131</code>
<country>US</country>
</postal>
<email>Jeff.Hodges@PayPal.com</email>
</address>
</author>
<author initials="C." surname="Jackson" fullname="Collin Jackson" >
<organization>Carnegie Mellon University</organization>
<address>
<email>collin.jackson@sv.cmu.edu</email>
</address>
</author>
<author initials="A." surname="Barth" fullname="Adam Barth">
<organization>
Google, Inc.
</organization>
<address>
<email>ietf@adambarth.com</email>
<uri>http://www.adambarth.com/</uri>
</address>
</author>
<date day="5" month="August" year="2011"/>
<area>Applications</area>
<keyword>Internet-Draft</keyword>
<abstract>
<t>
This specification defines a mechanism enabling Web sites to
declare themselves accessible only via secure connections,
and/or for users to be able to direct their user agent(s) to
interact with given sites only over secure connections. This
overall policy is referred to as HTTP Strict Transport
Security (HSTS). The policy is declared by Web sites via the
Strict-Transport-Security HTTP Response Header Field, and/or by
other means, e.g. user agent configuration.
</t>
</abstract>
</front>
<middle>
<section title="Introduction" anchor="sec-intro">
<t>
[ Please disscuss this draft on the WebSec@ietf.org
mailing list <xref target="WEBSEC"/>. ]
</t>
<t>
The HTTP protocol <xref target="RFC2616" /> may be used over
various transports, typically the Transmission Control
Protocol (TCP) <xref target="RFC0793" />. However, TCP does
not provide channel integrity protection, confidentiality, nor
secure host identification. Thus the Secure Sockets Layer
(SSL) protocol <xref target="I-D.ietf-tls-ssl-version3" /> and
its successor Transport Layer Security (TLS) <xref
target="RFC4346" />, were developed in order to provide
channel-oriented security, and are typically layered between
application protocols and TCP. <xref target="RFC2818" />
specifies how HTTP is layered onto TLS, and defines the
Universal Resource Identifier (URI) scheme of
"https" (in practice however, HTTP user agents (UAs)
typically offer their users choices among SSL2, SSL3, and TLS
for secure transport). URIs themselves are specified in <xref
target="RFC3986" />.
</t>
<t>
UAs employ various local security policies with respect to the
characteristics of their interactions with web resources
depending on (in part) whether they are communicating with a
given web resource using HTTP or
HTTP-over-a-Secure-Transport. For example, cookies (<xref
target="RFC2109" /> and <xref target="RFC2965" />) may be
flagged as Secure. UAs are to send such Secure cookies to
their addressed host only over a secure transport. This is
in contrast to non-Secure cookies, which are returned to the
host regardless of transport (although modulo other rules).
</t>
<t>
UAs typically annunciate to their users any issues with secure
connection establishment, such as being unable to validate a TLS
server certificate trust chain, or if a TLS server certificate is
expired, or if a TLS server's domain name appears incorrectly in
the TLS server certificate (see section 3.1 of <xref
target="RFC2818" />).
Often, UAs enable users to elect to continue to interact with
a web resource in the face of such issues. This behavior is
sometimes referred to as "click(ing) through"
security <xref target="GoodDhamijaEtAl05" /> <xref
target="SunshineEgelmanEtAl09" />, and thus can be described
as "click-through insecurity".
</t>
<t>
A key vulnerability enabled by click-through insecurity is
the leaking of any cookies the web application may be using
to manage a user's session. The threat here is that the attacker
could obtain the cookies and then interact with the legitimate
web application while posing as the user.
</t>
<t>
Jackson and Barth proposed an approach, in <xref
target="ForceHTTPS" />, to enable web applications and/or users
to declare that any interactions with the web application must
be conducted securely, and that any issues with establishing
a secure session are to be treated as fatal
and without direct user recourse. The aim is to prevent users
from unintentionally downgrading their security.
</t>
<t>
This specification embodies and refines the approach proposed
in <xref target="ForceHTTPS" />, e.g. a HTTP response header
field, named
"Strict-Transport-Security",
is used to convey the site HSTS policy to the UA rather than a
cookie. This specification also incorporates notions from
<xref target="JacksonBarth2008" /> in that the HSTS policy is
applied on an "entire-host" basis: it applies to all TCP ports
on the host.
Additionally, HSTS policy can be applied to the entire domain name
subtree rooted at a given host name.
This enables HSTS
to protect so-called
"domain cookies", which are applied to all subdomains of a
given domain.
</t>
<section anchor="intro-organization"
title="Organization of this specification">
<t>
This specification begins with an overview of the use cases, policy effects,
threat models, and requirements for HSTS (in <xref target="sctn-overview"/>).
Then, <xref target="sctn-conformance"/> defines conformance requirements.
The HSTS mechanism itself is formally specified
in <xref target="sctn-terminology"/> through <xref target="sec-iana-consid"/>.
</t>
</section>
</section> <!-- Introduction -->
<section anchor="sctn-overview" title="Overview">
<t>
This section discusses the use cases, summarizes the HTTP Strict
Transport Security (HSTS) policy, and continues with a
discussion of the threat model, non-addressed threats, and
derived requirements.
</t>
<section anchor="sctn-use-cases" title="Use Cases">
<t>
The high-level use case is a combination of:
</t>
<t>
<list style="symbols">
<t>
Web browser user wishes to discover, or be introduced
to, and/or utilize various web sites (some arbitrary,
some known) in a secure fashion.
</t>
<t>
Web site deployer wishes to offer their site in an
explicitly secure fashion for both their own, as well as
their users', benefit.
</t>
</list>
</t>
</section> <!-- sctn-use-cases -->
<section anchor="sctn-sts-policy-summary"
title="Strict Transport Security Policy Effects">
<t>
The characteristics of the HTTP Strict Transport Security policy,
as applied by a UA in its interactions with a web site
wielding HSTS Policy, known as a HSTS Host, is summarized as
follows:
</t>
<t>
<list style="numbers">
<t>
All insecure ("http") connections to any TCP
ports
on a HSTS Host
are redirected by the HSTS Host to be secure connections
("https").
</t>
<t>
The UA terminates, without user recourse, any secure
transport connection attempts upon any and all secure
transport errors or warnings, including those caused by a
web application presenting self-signed certificates.
</t>
<t>
UAs transform insecure URI references to a HSTS Host
into secure URI references before dereferencing them.
</t>
</list>
</t>
</section> <!-- sctn-sts-policy-summary -->
<section anchor="sctn-threat-model" title="Threat Model">
<t>
HSTS is concerned with three threat classes: passive network
attackers, active network attackers, and imperfect web
developers. However, it is explicitly not a remedy for two
other classes of threats: phishing and malware. Addressed
and not addressed threats are briefly discussed below.
Readers may wish refer to <xref target="ForceHTTPS" /> for
details as well as relevant citations.
</t>
<section anchor="sctn-threats-addr" title="Threats Addressed">
<section anchor="sctn-psv-net-atkr" title="Passive Network Attackers">
<t>
When a user browses the web on a local wireless network
(e.g. an 802.11-based wireless local area network)
a nearby attacker can possibly eavesdrop on the user's
unencrypted Internet Protocol-based connections, such as
HTTP, regardless of whether or not the local wireless
network itself is secured <xref target="BeckTews09"/>.
Freely available wireless sniffing toolkits, e.g. <xref
target="Aircrack-ng"/>, enable such passive eavesdropping
attacks, even if the local wireless network is operating in
a secure fashion.
A passive network attacker using such tools can steal session
identifiers/cookies and hijack the user's web session(s), by
obtaining cookies containing authentication credentials
<xref target="ForceHTTPS"/>.
For example, there exist widely-available tools, such as
Firesheep (a Firefox extension)
<xref target="Firesheep"/>, which
enable their wielder to obtain other local users' session cookies
for various web applications.
</t>
<t>
To mitigate such threats, some Web sites support, but usually
do not force, access using end-to-end secure transport
-- e.g. signaled through URIs constructed with the
"https" scheme <xref target="RFC2818" />. This
can lead users to believe that accessing such services
using secure transport protects them from passive
network attackers. Unfortunately, this is often not the
case in real-world deployments as session identifiers
are often stored in non-Secure cookies to permit
interoperability with versions of the service offered
over insecure transport ("Secure cookes" are those
cookies containing the "Secure" attribute
<xref target="RFC2109"/>). For example, if the session
identifier for a web site (an email service, say) is
stored in a non-Secure cookie, it permits an attacker to
hijack the user's session if the user's UA makes a single
insecure HTTP request to the site.
</t>
</section> <!-- sctn-psv-net-atkr -->
<section anchor="sctn-actv-net-atkr" title="Active Network Attackers">
<t>
A determined attacker can mount an active attack, either
by impersonating a user's DNS server or, in a wireless
network, by spoofing network frames or offering a
similarly-named evil twin access point. If the user is
behind a wireless home router, an attacker can attempt
to reconfigure the router using default passwords and
other vulnerabilities. Some sites, such as banks, rely
on end-to-end secure transport to protect themselves and their
users from such active attackers. Unfortunately,
browsers allow their users to easily opt-out of these
protections in order to be usable for sites that
incorrectly deploy secure transport, for example by
generating and self-signing their own certificates
(without also distributing their CA certificate to their
users' browsers).
</t>
</section> <!-- sctn-actv-net-atkr -->
<section anchor="sctn-web-dvlp" title="Web Site Development and Deployment Bugs">
<t>
The security of an otherwise uniformly secure site (i.e.
all of its content is materialized via "https"
URIs), can be compromised completely by an active
attacker exploiting a simple mistake, such as the
loading of a cascading style sheet or a SWF movie over
an insecure connection (both cascading style sheets and
SWF movies can script the embedding page, to the
surprise of many web developers -- most browsers do not
issue mixed content warnings when insecure SWF files are
embedded). Even if the site's developers carefully
scrutinize their login page for mixed content, a single
insecure embedding anywhere on the site compromises the
security of their login page because an attacker can
script (control) the login page by injecting script into
the page with mixed content.
</t>
<t>
<list style="hanging" hangIndent="7">
<t hangText="Note:">
"Mixed content" here refers to the same notion
referred to as "mixed security context" later
elsewhere in this specification.
</t>
</list>
</t>
</section> <!-- sctn-web-dvlp -->
</section> <!-- sctn-threats-addr -->
<section anchor="sctn-threats-not-addressed" title="Threats Not Addressed">
<section anchor="sctn-phishing" title="Phishing">
<t>
Phishing attacks occur when an attacker solicits
authentication credentials from the user by hosting a
fake site located on a different domain than the real
site, perhaps driving traffic to the fake site by
sending a link in an email message. Phishing attacks can
be very effective because users find it difficult to
distinguish the real site from a fake site. HSTS is not a
defense against phishing per se; rather, it complements
many existing phishing defenses by instructing the
browser to protect session integrity and long-lived
authentication tokens <xref target="ForceHTTPS" />.
</t>
</section> <!-- sctn-phishing -->
<section anchor="sctn-malware" title="Malware and Browser Vulnerabilities">
<t>
Because HSTS is implemented as a browser security
mechanism, it relies on the trustworthiness of the
user's system to protect the session. Malicious
code executing on
the user's system can compromise a browser session,
regardless of whether HSTS is used.
</t>
</section> <!-- sctn-malware -->
</section> <!-- sctn-threats-not-addressed -->
</section> <!-- sctn-threat-model -->
<section anchor="sctn-reqs" title="Requirements">
<t>
This section identifies and enumerates various
requirements derived from the use cases and the threats
discussed above, and lists the detailed core requirements
HTTP Strict Transport Security addresses, as well as ancillary
requirements that are not directly addressed.
</t>
<section anchor="sctn-reqs-ovrl-req" title="Overall Requirement">
<t>
<list style="symbols">
<t>
Minimize the risks to web browser users and web site
deployers that are derived from passive and active
network attackers, web site development and deployment
bugs, as well as insecure user actions.
</t>
</list>
</t>
<section anchor="sctn-reqs-core" title="Detailed Core Requirements">
<t>
These core requirements are derived from the overall
requirement, and are addressed by this specification.
</t>
<t>
<list style="numbers">
<!-- 1 -->
<t>
Web sites need to be able to declare to UAs that
they should be interacted with using a strict security
policy.
</t>
<!-- 2 -->
<t>
Web sites need to be able to instruct UAs that
contact them insecurely to do so securely.
</t>
<!-- 3 -->
<t>
UAs need to note web sites that signal strict
security policy enablement, for a web site declared
time span.
</t>
<!-- 4 -->
<t>
UAs need to re-write all insecure UA
"http" URI loads to use the
"https" secure scheme for those web sites
for which secure policy is enabled.
</t>
<!-- 5 -->
<t>
Web site administrators need to be able to signal
strict security policy application to subdomains of
higher-level domains for which strict security policy
is enabled, and UAs need to enforce such policy.
</t>
<t>
For example, both example.com and foo.example.com
could set policy for bar.foo.example.com.
</t>
<!-- 6 -->
<t>
UAs need to disallow security policy application to
peer domains, and/or higher-level domains, by domains
for which strict security policy is enabled.
</t>
<t>
For example, neither bar.foo.example.com nor
foo.example.com can set policy for example.com, nor
can bar.foo.example.com set policy for
foo.example.com. Also, foo.example.com cannot set
policy for sibling.example.com.
</t>
<!-- 7 -->
<t>
UAs need to prevent users from clicking-through
security warnings. Halting connection attempts in the
face of secure transport exceptions is acceptable.
</t>
</list>
</t>
<t>
<list style="hanging" hangIndent="7">
<t hangText="Note:">
A means for uniformly securely meeting the first
core requirement above is not specifically addressed
by this specification (see <xref
target="sctn-sec-cons-boot"/> "<xref
target="sctn-sec-cons-boot"
format="title"/>"). It may be addressed by a
future revision of this specification or some other
specification. Note also that there are means by
which UA implementations may more fully meet the
first core requirement, see <xref
target="sctn-ua-impl-advice"/> "<xref
target="sctn-ua-impl-advice" format="title"/>".
</t>
</list>
</t>
</section> <!-- sctn-reqs-core -->
<section anchor="sctn-reqs-ancillary" title="Detailed Ancillary Requirements">
<t>
These ancillary requirements are also derived from the
overall requirement. They are not normatively addressed in
this specification, but could be met by UA implementations
at their implementor's discretion, although meeting these
requirements may be complex.
</t>
<t>
<list style="numbers">
<t>
Disallow "mixed security context" (also
known as "mixed-content") loads (see section
5.3 "Mixed Content" in <xref
target="W3C.WD-wsc-ui-20100309" />).
</t>
<t>
Facilitate user declaration of web sites for which
strict security policy is enabled, regardless of whether
the sites signal HSTS Policy.
</t>
</list>
</t>
</section> <!-- sctn-reqs-ancillary -->
</section> <!-- sctn-reqs-ovrl-req -->
</section> <!-- Requirements -->
</section>
<section anchor="sctn-conformance" title="Conformance Criteria">
<t>
This specification is written for hosts and user agents
(UAs).
</t>
<!--
<t>
As well as sections and appendices marked as non-normative,
all diagrams, examples, and notes in this specification are
non-normative. Everything else in this specification is
normative.
</t>
-->
<t>
In this specification, the words MUST, MUST NOT, MAY, and SHOULD
are to be interpreted as described
in <xref target="RFC2119" />.
</t>
<t>
A conformant host is one that implements all the
requirements listed in this specification that are
applicable to hosts.
</t>
<t>
A conformant user agent is one that implements all the
requirements listed in this specification that are
applicable to user agents.
</t>
<section title="Document Conventions">
<t>
<list style="hanging" hangIndent="7">
<t hangText="Note:">
..is a note to the reader. These are points that should be
expressly kept in mind and/or considered.
</t>
</list>
<list style="hanging" hangIndent="10">
<t hangText="Warning:">
This is how a warning is shown.
These are things that can have suboptimal
downside risks if not heeded.
</t>
</list>
<!--
<cref anchor="XXXn" source="JeffH">
Some of the
more major known issues are marked like this
(where "n" in "XXXn" is a number).
</cref>
-->
</t>
<!--
<t>
<cref anchor="TODOn" source="JeffH">
Things to fix
(where "n" in "TODOn" is a number).
</cref>
</t>
-->
</section> <!-- Document Conventions -->
</section> <!-- sctn-conformance -->
<section anchor="sctn-terminology" title="Terminology">
<t>Terminology is defined in this section.</t>
<t><list style="hanging" hangIndent="18">
<t hangText="ASCII case-insensitive comparison">
<vspace/>
means comparing two
strings exactly, codepoint for codepoint, except that the
characters in the range U+0041 .. U+005A (i.e. LATIN CAPITAL
LETTER A to LATIN CAPITAL LETTER Z) and the corresponding
characters in the range U+0061 .. U+007A (i.e. LATIN SMALL
LETTER A to LATIN SMALL LETTER Z) are considered to also
match. See <xref target="Unicode5" /> for details.
</t></list>
</t>
<t><list style="hanging" hangIndent="18">
<t hangText="codepoint">
is a colloquial
contraction of Code Point, which is any value in the Unicode
codespace; that is, the range of integers from 0 to
10FFFF(hex) <xref target="Unicode5" />.
</t></list>
</t>
<t><list style="hanging" hangIndent="18">
<t hangText="Domain Name">
Domain Names, also
referred to as DNS Names, are defined in <xref
target="RFC1035" /> to be represented outside of the DNS
protocol itself (and implementations thereof) as a series of
labels separated by dots, e.g. "example.com" or
"yet.another.example.org". In the context of this
specification, Domain Names appear in that portion of a URI
satisfying the reg-name production in "Appendix A.
Collected ABNF for URI" in <xref target="RFC3986" />,
and the host component from the Host HTTP header field
production in section 14.23 of <xref target="RFC2616"
/>.
<list style="hanging" hangIndent="7">
<t hangText="Note:">
The Domain Names appearing in actual URI instances and
matching the aforementioned production components may or
may not be FQDNs.
</t>
</list>
</t>
</list>
</t>
<t>
<list style="hanging" hangIndent="18">
<t hangText="Domain Name Label">
is that portion of a Domain Name appearing
"between the dots", i.e. consider
"foo.example.com": "foo",
"example", and "com" are all domain
name labels.
</t>
</list>
</t>
<t><list style="hanging" hangIndent="18">
<t hangText="Effective Request URI">
<vspace/>
is a URI, identifying the target resource, that can be
inferred by an HTTP host for any given HTTP request it
receives. HTTP requests often do not carry an absolute-URI
(<xref target="RFC3986"/>, Section 4.3) identifying the
target resource. See <xref
target="sctn-svrproc-httpreq-eru"/> "<xref
target="sctn-svrproc-httpreq-eru" format="title"/>",
below.
<!--
That is, they do not carry
for the target
resource.
Rather, different portions of a resource's URI may be
mapped to both the Request-Line header field and the Host
header field in an HTTP request message <xref
target="I-D.ietf-httpbis-p1-messaging" />. The HTTP server
coalesces these URI fragments and constructs an equivalent
of the Request-URI that was used by the UA to generate the
received HTTP request message.
-->
</t></list>
</t>
<t><list style="hanging" hangIndent="18">
<t hangText="FQDN">
is an acronym for Fully-qualified Domain Name. A FQDN is a
Domain Name that includes all higher level domains
relevant to the named entity (typically a HSTS Host in
the context of this specification). If one thinks of the
DNS as a tree-structure with each node having its own
Domain Name Label, a FQDN for a specific node would be its
label followed by the labels of all the other nodes
between it and the root of the tree. For example, for a
host, a FQDN would include the label that identifies the
particular host, plus all domains of which the host is a
part, up to and including the top-level domain (the root
domain is always null) <xref target="RFC1594" />.
</t></list>
</t>
<t><list style="hanging" hangIndent="18">
<t hangText="HTTP Strict Transport Security">
<vspace/>
is the
overall name for the combined UA- and server-side security
policy defined by this specification.
</t></list>
</t>
<t><list style="hanging" hangIndent="18">
<t hangText="HTTP Strict Transport Security Host">
<vspace/>
is a
HTTP host implementing the server aspects of the HSTS
policy.
</t></list>
</t>
<t><list style="hanging" hangIndent="18">
<t hangText="HTTP Strict Transport Security Policy">
<vspace/>
is the name of the combined overall
UA- and server-side facets of the behavior specified in
this specification.
</t></list>
</t>
<t><list style="hanging" hangIndent="18">
<t hangText="HSTS">
See HTTP Strict Transport
Security.
</t></list>
</t>
<t><list style="hanging" hangIndent="18">
<t hangText="HSTS Host">
See HTTP Strict
Transport Security Host.
</t></list>
</t>
<t><list style="hanging" hangIndent="18">
<t hangText="HSTS Policy">
See HTTP Strict Transport Security Policy.
</t></list>
</t>
<t><list style="hanging" hangIndent="18">
<t hangText="Known HSTS Host">
is a HSTS
Host for which the UA has a HSTS Policy in effect.
</t></list>
</t>
<t><list style="hanging" hangIndent="18">
<t hangText="Local policy">
is comprised
of policy rules deployers specify and which are often
manifested as "configuration settings".
</t></list>
</t>
<t><list style="hanging" hangIndent="18">
<t hangText="MITM">
is an acronym for
man-in-the-middle. See "man-in-the-middle
attack" in <xref target="RFC4949" />.
</t></list>
</t>
<t><list style="hanging" hangIndent="18">
<t hangText="Request URI">
is the URI used to
cause a UA to issue an HTTP request message.
</t></list>
</t>
<t><list style="hanging" hangIndent="18">
<t hangText="UA">
is a an acronym for user agent. For
the purposes of this specification, a UA is an HTTP client
application typically actively manipulated by a user <xref
target="RFC2616" /> .
</t></list>
</t>
</section> <!-- sctn-terminology -->
<section anchor="sctn-syntax" title="Syntax">
<t>
This section defines the syntax of the new header this
specification introduces. It also provides a short
description of the function the header.
</t>
<t>
The <xref target="server-processing-model"/>
"<xref target="server-processing-model" format="title"/>"
section details how hosts are to
use this header. Likewise, the
<xref target="user-agent-processing-model"/>
"<xref target="user-agent-processing-model" format="title"/>"
section details how user agents are to use this
header.
</t>
<section anchor="sctn-syntax-grammar"
title="Strict-Transport-Security HTTP Response Header Field">
<t>
The Strict-Transport-Security HTTP response header field
indicates to a UA that it MUST enforce the HSTS Policy in
regards to the host emitting the response message
containing this header field.
</t>
<t>
The ABNF syntax for the Strict-Transport-Security HTTP
Response Header field is:
</t>
<t>
<figure>
<artwork>
Strict-Transport-Security =
"Strict-Transport-Security" ":" OWS STS-v OWS
; value
STS-v = STS-d
/ STS-d *( OWS ";" OWS STS-d OWS )
; STS directive
STS-d = STS-d-cur / STS-d-ext
; defined STS directives
STS-d-cur = maxAge / [ includeSubDomains ]
maxAge = "max-age" OWS "=" OWS delta-seconds [ OWS v-ext ]
; delta-seconds is 1*DIGIT and is from [RFC2616]
includeSubDomains = "includeSubDomains" [ OWS v-ext ]
; extension points
STS-d-ext = name ; STS extension directive
v-ext = value ; STS extension value
name = token
value = OWS / %x21-3A / %x3C-7E ; i.e. optional white space, or
; [ ! .. : ] [ < .. ~ ] any visible chars other than ";"
token = 1*tchar
tchar = "!" / "#" / "$" / "%" / "&" / "'" / "*"
/ "+" / "-" / "." / "^" / "_" / "`" / "|" / "~"
/ DIGIT / ALPHA
; visible (printing) characters, except visible
; separators.
; DIGIT, ALPHA, separators are from [RFC2616]
; Basic rules:
OWS = *( [ CRLF ] WSP )
; Optional White Space
WSP = SP / HTAB
CRLF = CR LF
; CR, LF, SP, HTAB are from [RFC2616]
</artwork>
</figure>
<list style="hanging" hangIndent="7">
<t hangText="Note:">
<xref target="RFC2616"/>
is used
as the ABNF basis in order to ensure that the new header
has equivalent parsing rules to the header fields defined
in that same specification. Also:
<list style="numbers">
<t>
Quoted-string literals in the above ABNF stanza
are case-insensitive.
</t>
<t>
In order to correctly
match the grammar above, the
Strict-Transport-Security HTTP Response Header MUST
include at least a max-age directive with at least a
single-digit value for delta-seconds.
</t>
</list>
</t>
</list>
</t>
<!--
<t>
The ABNF syntax for the Strict-Transport-Security HTTP
Response Header field is:
</t>
<t>
<figure>
<artwork>
Strict-Transport-Security =
"Strict-Transport-Security" ":" OWS STS-v OWS
; value
STS-v = STS-d
/ STS-d *( OWS ";" OWS STS-d OWS )
; STS directive
STS-d = STS-d-cur / STS-d-ext
; defined STS directives
STS-d-cur = maxAge / includeSubDomains
maxAge = "max-age" OWS "=" OWS delta-seconds v-ext
includeSubDomains = [ "includeSubDomains" ] v-ext
; extension points
STS-d-ext = name ; STS extension directive
v-ext = value ; STS extension value
name = token
value = OWS / %x21-3A / %x3C-7E ; i.e. optional white space, or
; [ ! .. : ] [ < .. ~ ] any visible chars other than ";"
; productions imported from [ID.ietf-httpbis-p1-messaging]:
token
OWS ; Optional White Space
</artwork>
</figure>
<list style="hanging" hangIndent="7">
<t hangText="Note:">
<xref
target="I-D.ietf-httpbis-p1-messaging" /> is used
as the ABNF basis in order to ensure that the new header
has equivalent parsing rules to the header fields defined
in that same specification. Also:
<list style="numbers">
<t>
Quoted-string literals in the above ABNF stanza
are case-insensitive.
</t>
<t>
In order to correctly
match the grammar above, the
Strict-Transport-Security HTTP Response Header MUST
include at least a max-age directive with at least a
single-digit value for delta-seconds.
</t>
</list>
</t>
</list>
</t>
-->
<t>
<list style="hanging" hangIndent="9">
<t hangText="max-age">
specifies the number of seconds,
after the recption of the Strict-Transport-Security HTTP
Response Header, during which the UA regards the host
the message was received from as a Known HSTS Host (see
also <xref target="sctn-uaproc-stshf-note"/>
"<xref target="sctn-uaproc-stshf-note" format="title"/>",
below). The delta-seconds production is
specified in <xref target="RFC2616" />.
</t>
</list>
</t>
<!--
<t>
<cref anchor="TODO1" source="JeffH">
The above para wrt max-age may need
further refinement.
</cref>
</t>
-->
<t>
<list style="hanging" hangIndent="18">
<t hangText="includeSubDomains">
is a flag which, if
present, signals to the UA that the HSTS Policy applies
to this HSTS Host as well as any subdomains of the
host's FQDN.
</t>
</list>
</t>
</section> <!-- sctn-syntax-grammar -->
<section anchor="sctn-syntax-examples" title="Examples">
<t>
The below HSTS header field stipulates that the HSTS policy
is to remain in effect for one year (there are approximately
31 536 000 seconds in a year), and the policy applies only
to the domain of the HSTS Host issuing it:
</t>
<t>
<figure>
<artwork>
Strict-Transport-Security: max-age=31536000
</artwork>
</figure>
</t>
<t>
The below HSTS header field stipulates that the HSTS policy
is to remain in effect for approximately six months and the
policy applies only to the domain of the issuing HSTS Host
and all of its subdomains:
</t>
<t>
<figure>
<artwork>
Strict-Transport-Security: max-age=15768000 ; includeSubDomains
</artwork>
</figure>
</t>
</section> <!-- sctn-syntax-examples -->
</section> <!-- sctn-syntax -->
<section anchor="server-processing-model" title="Server Processing Model">
<t>
This section describes the processing model that HSTS Hosts
implement. The model is comprised of two facets: the first
being the processing rules for HTTP request messages received
over a secure transport (e.g. TLS <xref target="RFC4346" />,
SSL <xref target="I-D.ietf-tls-ssl-version3" />, or perhaps
others, the second being the processing rules for HTTP request
messages received over non-secure transports, i.e. over TCP/IP
<xref target="RFC0793" />.
</t>
<section title="HTTP-over-Secure-Transport Request Type">
<t>
When replying to an HTTP request that was conveyed over a
secure transport, a HSTS Host SHOULD include
in its response message a Strict-Transport-Security HTTP
Response Header that MUST satisfy the grammar
specified above in <xref target="sctn-syntax-grammar"/> "<xref
target="sctn-syntax-grammar" format="title"/>".
If a Strict-Transport-Security HTTP Response Header is
included, the HSTS Host MUST include
only one such header.
</t>
<t>
<list style="hanging" hangIndent="7">
<t hangText="Note:">
Including the Strict-Transport-Security HTTP Response Header is
stipulated as a "SHOULD" in order to accomodate
various server- and network-side caches and load-balancing
configurations where it may be difficult to uniformly emit
Strict-Transport-Security HTTP Response Headers on behalf
of a given HSTS Host.
</t>
<t>
Establishing a given host as a Known HSTS Host, in the
context of a given UA, MAY be accomplished over the HTTP
protocol by correctly returning, per this specification,
at least one valid Strict-Transport-Security HTTP
Response Header to the UA. Other mechanisms, such as a
client-side pre-loaded Known HSTS Host list MAY also be
used. E.g. see <xref target="sctn-ua-impl-advice"/>
"<xref target="sctn-ua-impl-advice"
format="title"/>".
</t>
</list>
</t>
</section> <!-- HTTP-over-Secure-Transport Request Type -->
<section title="HTTP Request Type">
<t>
If a HSTS Host receives a HTTP request message over a
non-secure transport, it SHOULD send a HTTP response message
containing a Status-Code of 301 and a Location header field
value containing either the HTTP request's original
Effective Request URI (see <xref
target="sctn-svrproc-httpreq-eru"/> "<xref
target="sctn-svrproc-httpreq-eru" format="title"/>", below)
altered as necessary to have a URI scheme of
"https", or a URI generated according to local
policy (which SHOULD employ a URI scheme of
"https").
</t>
<t>
<list style="hanging" hangIndent="0">
<t hangText="Note:">
The above behavior is a "SHOULD" rather than a
"MUST" because:
<list style="symbols">
<t>
There are risks in server-side
non-secure-to-secure redirects <xref target="owaspTLSGuide"/>.
</t>
<t>
Site deployment characteristics -- e.g. a site that incorporates
third-party components may not behave correctly when
doing server-side non-secure-to-secure redirects in the case
of being accessed over non-secure transport, but
does behave correctly when accessed uniformly over
secure transport. The latter is the case given a
HSTS-capapble UA that has already noted
the site as a Known HSTS Host (by whatever means, e.g.
prior interaction or UA configuration).
</t>
</list>
</t>
</list>
</t>
<t>
<!--
<cref anchor="XXX1" source="JeffH">
perhaps the "SHOULD" in the above behavior should be a "MAY" given the
reasons it's presently not a "MUST".
</cref>
-->
</t>
<t>
A HSTS Host
MUST NOT include the
Strict-Transport-Security HTTP Response Header in
HTTP responses conveyed over non-secure
transport.
</t>
</section> <!-- HTTP Request Type -->
</section> <!-- server-processing-model -->
<section anchor="user-agent-processing-model" title="User Agent Processing Model">
<t>
This section describes the HTTP Strict Transport
Security processing model for UAs.
There are several facets to the model, enumerated by the
following subsections.
</t>
<t>
Also, this processing model assumes that all Domain Names manipulated in this specification's
context are already in ASCII
Compatible Encoding (ACE) format as specified in
<xref target="RFC3490" />. If this is not the case in some situation, use the
operation given in
<xref target="sctn-force-tls-dns-name-toascii"/>
"<xref target="sctn-force-tls-dns-name-toascii" format="title"/>"
to convert any encountered internationalized Domain Names to
ACE format before processing them.
</t>
<section anchor="sctn-resp-hdr-proc"
title="Strict-Transport-Security Response Header Field Processing">
<t>
If an HTTP response, received over a secure transport,
includes a Strict-Transport-Security
HTTP Response Header field,
conforming to the grammar specified in
<xref target="sctn-syntax-grammar"/>
"<xref target="sctn-syntax-grammar" format="title"/>"
(above),
and there are no underlying secure transport
errors or warnings
(see <xref target="sctn-err-tls-estab"/>, below),
the UA MUST either:
</t>
<t>
<list style="symbols">
<t>
Note the host as a Known HSTS Host if it is not already
so noted (see <xref target="sctn-uaproc-stshf-note"/>
"<xref target="sctn-uaproc-stshf-note" format="title"/>", below),
</t>
</list>
</t>
<t>
or,
</t>
<t>
<list style="symbols">
<t>
Update its cached information for the Known HSTS
Host if the max-age and/or
includeSubDomains header field
value tokens are conveying information different than that
already maintained by the UA.
</t>
</list>
</t>
<t>
<list style="hanging" hangIndent="7">
<t hangText="Note:">
The max-age value is essentially a "time to live" value
relative to the reception time of the Strict-Transport-Security HTTP Response Header.
<vspace blankLines="1"/>
If a UA receives more than one Strict-Transport-Security header field
in a
HTTP response message over secure transport, then the
UA SHOULD process only the first such header field.
</t>
</list>
</t>
<t>
<!--
<cref anchor="TODO2" source="JeffH">
Decide UA behavior in face of encountering multiple HSTS headers in a message. Use first header? Last?
</cref>
-->
</t>
<t>
Otherwise:
</t>
<t>
<list style="symbols">
<t>
If an HTTP response is received over insecure
transport, the UA MUST ignore
any present Strict-Transport-Security HTTP Response
Header(s).
</t>
<t>
The UA MUST ignore any
Strict-Transport-Security HTTP Response Headers not
conforming to the grammar specified in
<xref target="sctn-syntax-grammar"/>
"<xref target="sctn-syntax-grammar" format="title"/>"
(above).
</t>
</list>
</t>
<section anchor="sctn-uaproc-stshf-note" title="Noting a HSTS Host">
<t>
If the substring matching the host production from the
Request-URI, that the host
responded to, syntactically
matches the IP-literal or IPv4address
productions from section 3.2.2 of <xref target="RFC3986" />, then
the UA MUST NOT note
this host as a Known HSTS Host.
</t>
<t>
Otherwise, if the substring does not congruently match a presently known HSTS Host,
per the matching procedure specified in
<xref target="sctn-ksts-dn-match"/>
"<xref target="sctn-ksts-dn-match" format="title"/>"
below, then
the UA MUST
note this host as a Known HSTS Host, caching the HSTS Host's
Domain Name and noting along with it the expiry time of this information, as effectively stipulated
per the given max-age value,
as well as whether the includeSubDomains
flag is asserted or not.
</t>
</section> <!-- sctn-uaproc-stshf-note -->
<section anchor="sctn-ksts-dn-match" title="Known HSTS Host Domain Name Matching">
<t>
A UA determines whether a Domain Name represents a Known
HSTS Host by looking for a match between the query Domain
Name and the UA's set of Known HSTS Hosts.
</t>
<t>
<list style="numbers">
<t>
Compare the query Domain Name string with the Domain
Names of the UA's set of Known HSTS Hosts.
For each Known HSTS Host's Domain Name, the
comparison is done with the query Domain Name
label-by-label using an ASCII case-insensitive
comparison beginning with the rightmost label, and
continuing right-to-left, and ignoring separator
characters (see clause 3.1(4) of <xref
target="RFC3986" />.
<list style="symbols">
<t>
If a label-for-label match between an entire
Known HSTS Host's Domain Name and a right-hand
portion of the query Domain Name is found, then the
Known HSTS Host's Domain Name is a superdomain
match for the query Domain Name.
<vspace blankLines="1"/>
For example:
<figure>
<artwork>
Query Domain Name: bar.foo.example.com
Superdomain matched
Known HSTS Host DN: foo.example.com
</artwork>
</figure>
<vspace blankLines="1"/>
At this point, the query Domain Name is
ascertained to effectively represent a Known HSTS
Host. There may also be additional matches
further down the Domain Name Label tree, up to and
including a congruent match.
</t>
<t>
If a label-for-label match between a Known HSTS
Host's Domain Name and the query domain name is found,
i.e. there are no further labels to compare, then the
query Domain Name congruently matches this Known HSTS
Host.
<vspace blankLines="1"/>
For example:
<figure>
<artwork>
Query Domain Name: foo.example.com
Congruently matched
Known HSTS Host DN: foo.example.com
</artwork>
</figure>
<vspace blankLines="1"/>
The query Domain Name is ascertained to
represent
a Known HSTS Host. However, if there are also
superdomain matches, the one highest in the tree asserts
the HSTS Policy for this Known HSTS Host.
</t>
<t>
Otherwise, if no matches are found, the query Domain Name does not represent a
Known HSTS Host.
</t>
</list>
</t>
</list>
</t>
</section> <!-- sctn-ksts-dn-match -->
</section> <!-- sctn-resp-hdr-proc -->
<section anchor="sctn-uri-load-port-map" title="URI Loading and Port Mapping">
<t>
Whenever the UA prepares to "load", also known as
"dereference", any URI where the host component of
the authority component of the URI <xref target="RFC3986"/>
matches that of a Known HSTS Host (either as a congruent
match or as a superdomain match where the superdomain Known
HSTS Host has includeSubDomains asserted),
then before proceeding with the load:
<list style="empty">
<t>
If the URI's scheme is "http", then the UA MUST
replace the URI scheme with "https", and,
<list>
<t>
if the URI contains an explicit port component <xref
target="RFC3986"/> of "80", then the UA MUST convert
the port component to be "443", or,
</t>
<t>
if the URI contains an explicit port component that
is not equal to "80", the port component value MUST
be preserved, otherwise,
</t>
<t>
if the URI does not contain an explicit port
component, the UA MUST NOT add one.
</t>
</list>
Otherwise, if the URI's scheme is "https",
then the UA MUST NOT modify the URI before dereferencing
it.
</t>
</list>
Note that the implication of the above steps is that the HSTS
policy applies to all TCP ports on a host advertising the
HSTS policy.
</t>
</section><!-- URI Loading and port mapping -->
<section anchor="sctn-err-tls-estab"
title="Errors in Secure Transport Establishment">
<t>
When connecting to a Known HSTS Host, the UA MUST terminate
the connection (see also
<xref target="sctn-ua-impl-advice"/>
"<xref target="sctn-ua-impl-advice" format="title"/>", below)
if there are any errors
(e.g. certificate errors), whether "warning" or
"fatal" or any other error level, with the
underlying secure transport. This includes any issues
with certificate revocation checking whether via
the Certificate Revocation List (CRL)
<xref target="RFC5280"/>,
or via the Online Certificate Status Protocol (OCSP)
<xref target="RFC5280"/>.
</t>
</section> <!-- Errors in Secure Transport Establishment -->
<section title="HTTP-Equiv <Meta> Element Attribute">
<t>
UAs MUST NOT heed
http-equiv="Strict-Transport-Security" attribute
settings on <meta> elements in received content.
</t>
</section> <!-- HTTP-Equiv <Meta> Element Attribute -->
<section anchor="sctn-missing-hsts-header"
title="Interstitially Missing
Strict-Transport-Security Response Header Field">
<t>
If a UA receives HTTP responses from Known HSTS Host
over a secure channel, but they are missing the
Strict-Transport-Security Response Header Field,
the UA SHOULD continue to treat the host as a
Known HSTS Host until the max age for the
knowledge that Known HSTS Host is reached. Note
that the max age could be infinite for a given
Known HSTS Host. For example, if the Known HSTS Host
is part of a pre-configured list that is implemented
such that the list entries never "age out".
</t>
</section> <!-- HTTP-Equiv <Meta> Element Attribute -->
</section> <!-- user-agent-processing-model -->
<section anchor="sctn-force-tls-dns-name-toascii"
title="Domain Name ToASCII Conversion Operation">
<t>
This operation converts a string-serialized Domain Name
possibly containing arbitrary Unicode characters <xref
target="Unicode5" /> into a string-serialized Domain Name in
ASCII Compatible Encoding (ACE) format as specified in <xref
target="RFC3490" />.
</t>
<t>
The operation is:
</t>
<t>
<list style="symbols">
<t>
Apply the IDNA conversion operation
(section 4 of <xref target="RFC3490" />) to the string,
selecting the ToASCII operation
and setting both the AllowUnassigned and UseSTD3ASCIIRules flags.
</t>
</list>
</t>
</section> <!-- sctn-force-tls-dns-name-toascii -->
<section anchor="sctn-hosting-spec-advice" title="Server Implementation Advice">
<t>This section is non-normative.</t>
<t>
HSTS Policy expiration time considerations:
</t>
<t>
<list style="symbols">
<t>
Server implementations and deploying web sites need to
consider whether they are setting an expiry time that is a
constant value into the future, e.g. by constantly sending
the same max-age value to UAs. For exmple:
<figure>
<artwork>
Strict-Transport-Security: max-age=778000
</artwork>
</figure>
A max-age value of 778000 is 90 days. Note that each
receipt of this header by a UA will require the UA to
update its notion of when it must delete its knowledge of
this Known HSTS Host. The specifics of how this is
accomplished is out of the scope of this specification.
</t>
<t>
Or, whether they are
setting an expiry time that is a fixed point in time,
e.g. by sending max-age values that represent the
remaining time until the expiry time.
</t>
<t>
A consideration here is whether a deployer wishes to have
signaled HSTS Policy expiry time match that
for the web site's domain certificate.
</t>
</list>
</t>
<t>
Considerations for using HTTP Strict Transport Security in conjunction with
self-signed public-key certificates:
</t>
<t>
<list style="symbols">
<t>
If a web site/organization/enterprise is generating their
own secure transport public-key certificates for web
sites, and that organization's root certificate authority
(CA) certificate is not typically embedded by default in
browser CA certificate stores, and if HSTS Policy is
enabled on a site identifying itself using a self-signed
certificate, then secure connections to that site will
fail, per the HSTS design. This is to
protect against various active attacks, as discussed
above.
</t>
<t>
However, if said organization strongly wishes to employ
self-signed certificates, and their own CA in concert with
HSTS, they can do so by deploying their root CA certificate
to their users' browsers. They can also, in addition or instead,
distribute to their users' browsers the
end-entity certificate(s) for specific hosts.
There are various ways in which
this can be accomplished (details are out of scope for
this specification). Once their root CA cert is installed
in the browsers, they may employ HSTS Policy on their
site(s).
<list style="hanging" hangIndent="7">
<t hangText="Note:">
Interactively distributing root CA certs to users, e.g. via email, and having the users
install them, is arguably training the users to be susceptible to
a possible form of phishing attack, see
<xref target="sctn-sec-cons-bogus-ca"/>
"<xref target="sctn-sec-cons-bogus-ca" format="title"/>".
</t>
</list>
</t>
</list>
</t>
</section> <!-- sctn-hosting-spec-advice -->
<section anchor="sctn-ua-impl-advice" title="UA Implementation Advice">
<t>This section is non-normative.</t>
<t>
In order to provide users and web sites more effective
protection, UA implementors should consider including features
such as:
</t>
<t>
<list style="symbols">
<t>
Failing secure connection establishment on any
warnings or errors, as noted in
<xref target="sctn-err-tls-estab"/>
"<xref target="sctn-err-tls-estab" format="title"/>",
should be done with no user recourse. This means that the
user should not be presented with an explanatory dialog
giving her the option to proceed. Rather, it should be
treated similarly to a server error where there is nothing
further the user can do with respect to interacting with
the target web application, other than wait and re-try.
<vspace blankLines="1"/>
Essentially, "any warnings or errors" means anything that would
cause the UA implementation to annunciate to the user
that something is not entirely correct with the connection
establishment.
<vspace blankLines="1"/>
Not doing this, i.e., allowing user recourse such as "clicking-through warning/error
dialogs", is a recipe for a Man-in-the-Middle attack. If
a web application advertises HSTS, then it is opting into
this scheme, whereby all certificate errors or warnings
cause a connection termination, with no chance to "fool"
the user into making the wrong decision and compromising
themselves.
</t>
<t>
Disallowing "mixed security context"
(also known as "mixed-content") loads (see section 5.3 "Mixed Content" in
<xref target="W3C.WD-wsc-ui-20100309" />).
<list style="hanging" hangIndent="7">
<t hangText="Note:">
In order to provide behavioral uniformity across UA
implementations, the notion of mixed security context aka mixed-content
will require (further) standardization work,
e.g. to more clearly define the term(s) and to define
specific behaviors with respect to it.
</t>
</list>
</t>
</list>
</t>
<t>
In order to provide users effective controls for
managing their UA's caching of HSTS Policy,
UA implementors should consider including features such
as:
<list style="symbols">
<t>
Ability to delete UA's cached HSTS Policy
on a per HSTS Host basis.
<list style="hanging" hangIndent="7">
<t hangText="Note:">
Adding such a feature should be done very carefully in both
the user interface and security senses.
Deleting a cache entry for a Known HSTS Host
should be a very deliberate and well-considered act -- it shouldn't be something
users get used to just "clicking through" in order to get work done.
Also, it shouldn't be possible for an attacker to inject script
into the UA that silently and programmatically removes
entries from the UA's cache of Known HSTS Hosts.
</t>
</list>
</t>
</list>
</t>
<t>
In order to provide users and web sites more complete
protection, UAs could offer advanced
features such as these:
<list style="symbols">
<t>
Ability for users to explicitly declare a given Domain
Name as representing a HSTS Host, thus seeding it as a
Known HSTS Host before any actual interaction with it. This
would help protect against the <xref
target="sctn-sec-cons-boot"/> "<xref
target="sctn-sec-cons-boot" format="title"/>".
<list style="hanging" hangIndent="7">
<t hangText="Note:">
Such a feature is difficult to get right on a per-site
basis -- see the discussion of "rewrite
rules" in section 5.5 of <xref
target="ForceHTTPS" />. For example, arbitrary web
sites may not materialize all their URIs using the
"https" scheme, and thus could
"break" if a UA were to attempt to access
the site exclusively using such URIs. Also note that
this feature would complement, but is independent of
the following described facility.
</t>
</list>
</t>
<t>
Facility whereby web site administrators can have UAs pre-configured
with HSTS Policy for their site(s) by the
UA vendor(s) -- in a manner similar to how root CA certificates
are embedded in browsers "at the factory".
This would help protect against the
<xref target="sctn-sec-cons-boot"/>
"<xref target="sctn-sec-cons-boot" format="title"/>".
<list style="hanging" hangIndent="7">
<t hangText="Note:">
Such a facility complements the preceding described feature.
</t>
</list>
</t>
</list>
</t>
<t>
<!--
<cref anchor="XXX2" source="JeffH">
These latter items beg the question of having some means of secure web site metadata and policy discovery
and acquisition. There is extant work that may be of interest, e.g. the W3C POWDER work, OASIS XRI/XRD work
(as well as XRDS-Simple), and "Link-based Resource Descriptor Discovery" (draft-hammer-discovery).
</cref>
-->
</t>
</section> <!-- ua-impl-advice -->
<section anchor="sctn-svrproc-httpreq-eru"
title="Constructing an Effective Request URI">
<t>
This section specifies how an HSTS Host must
construct the Effective
Request URI for a received HTTP request.
</t>
<t>
HTTP requests often do not carry the absolute-URI (<xref
target="RFC3986"/>, Section 4.3) for the target resource;
instead, the URI needs to be inferred from the Request-URI,
Host header field, and connection context. The result of this
process is called the "effective request URI (ERU)". The
"target resource" is the resource identified by the effective
request URI.
</t>
<t>
The ABNF used in the remainder of this section is defined
in <xref target="RFC2616"/> Section 2.1.
</t>
<section anchor="sctn-svrproc-httpreq-eru-prelim"
title="ERU Fundamental Definitions">
<t>
The first line of an HTTP request message,
Request-Line, is specified by the
following ABNF from <xref target="RFC2616"/>,
section 5.1:
<figure>
<artwork>
Request-Line = Method SP Request-URI SP HTTP-Version CRLF
</artwork>
</figure>
The Request-URI, within the Request-Line, is specified
by the following ABNF from
<xref target="RFC2616"/>, section 5.1.2:
<figure>
<artwork>
Request-URI = "*" | absoluteURI | abs_path | authority
where:
absoluteURI is from RFC2396, and is equivalent to absolute-URI
from [RFC3986]
</artwork>
</figure>
The Host request header field is specified by the following
ABNF from <xref target="RFC2616"/>, section 14.23:
<figure>
<artwork>
Host = "Host" ":" host [ ":" port ]
where:
host = <defined in [RFC3986], Section 3.2.2>
port = <defined in [RFC3986], Section 3.2.3>
</artwork>
</figure>
</t>
</section> <!-- sctn-svrproc-httpreq-eru-prelim -->
<section anchor="sctn-svrproc-httpreq-eru-determine"
title="Determining the Effective Requrest URI">
<t>
If the Request-URI is an absolute-URI, then the effective request URI is
the Request-URI.
</t>
<t>
If the Request-URI uses the abs_path form or the asterisk form,
and the Host header field is present, then the effective request URI is
constructed by concatenating:
</t>
<t>
<list style="symbols">
<t>
the scheme name: "http" if the request was received over an insecure
TCP connection, or "https" when received over a TLS/SSL-secured TCP
connection, and,
</t>
<t>
the octet sequence "://", and,
</t>
<t>
the host, from the Host header field, and
</t>
<t>
the Request-URI obtained from the Request-Line, unless the
Request-URI is just the asterisk "*".
</t>
</list>
</t>
<t>
If the Request-URI uses the abs_path form or the asterisk form,
and the Host header field is not present, then the effective request URI is
undefined.
</t>
<t>
Otherwise, when Request-URI uses the authority form, the effective
request URI is undefined.
</t>
<t>
Effective request URIs are compared using the rules
described in <xref target="RFC2616"/> Section 3.2.3, except
that empty path components MUST NOT be treated as equivalent
to an absolute path of "/".
</t>
<section anchor="sctn-svrproc-httpreq-eru-examples"
title="Effective Requrest URI Examples">
<figure>
<preamble>
Example 1: the effective request URI for the message
</preamble>
<artwork>
GET /pub/WWW/TheProject.html HTTP/1.1
Host: www.example.org:8080
</artwork>
<postamble>
(received over an insecure TCP connection) is "http", plus
"://", plus the authority component
"www.example.org:8080", plus the request-target
"/pub/WWW/TheProject.html", thus is:
"http://www.example.org:8080/pub/WWW/TheProject.html".
</postamble>
</figure>
<figure>
<preamble>
Example 2: the effective request URI for the message
</preamble>
<artwork>
GET * HTTP/1.1
Host: www.example.org
</artwork>
<postamble>
(received over an SSL/TLS secured TCP connection) is
"https", plus "://", plus the authority component
"www.example.org", thus is: "https://www.example.org".
</postamble>
</figure>
</section> <!-- -->
<!--
<t>
<cref anchor="TODO3" source="JeffH">
This is a first SWAG at this section. Fix/add prose as appropriate, fix ABNF as needed per review.
</cref>
</t>
-->
</section> <!-- sctn-svrproc-httpreq-eru-determine -->
</section> <!-- sctn-svrproc-httpreq-eru -->
<section anchor="sctn-sec-cons" title="Security Considerations">
<!-- <t>This section is non-normative.</t> -->
<section anchor="sctn-sec-cons-includeSD"
title="The Need for includeSubDomains">
<t>
Without the includeSubDomains directive, a web application would not be able to
adequately protect so-called "domain cookies" (even if these cookies have their
"Secure" flag set and thus are conveyed only on secure channels).
These are cookies the web application
expects UAs to return to any and all subdomains of the web application.
</t>
<t>
For example, suppose example.com represents the top-level DNS name
for a web application. Further suppose that this cookie is set for
the entire example.com domain, i.e. it is a "domain cookie", and it
has its Secure flag set. Suppose example.com is a Known HSTS Host for
this UA, but the includeSubDomains flag is not set.
</t>
<t>
Now, if an attacker causes the UA to request a subdomain name that is
unlikely to already exist in the web application, such as
"https://uxdhbpahpdsf.example.com/", but the attacker has established
somewhere and registered in the DNS, then:
<list style="numbers">
<t>
The UA is unlikely to already have an HSTS policy established
for "uxdhbpahpdsf.example.com", and,
</t>
<t>
The HTTP request sent to uxdhbpahpdsf.example.com will include the
Secure-flagged domain cookie.
</t>
<t>
If "uxdhbpahpdsf.example.com" returns a certificate during TLS establishment,
and the user clicks through any warning that might be
annunciated (it is possible, but not certain, that one may
obtain a requisite certificate
for such a domain name such that a warning may or may not appear),
then the attacker can obtain the Secure-flagged domain cookie
that's ostensibly being protected.
</t>
</list>
Without the "includeSubDomains" directive, HSTS is unable to
protect such Secure-flagged domain cookies.
</t>
</section> <!-- The Need for includeSubDomains -->
<section title="Denial of Service (DoS)">
<t>
HSTS could be used to mount certain forms of DoS attacks, where
attackers cause UAs to set fake HSTS headers for legitimate sites
available only insecurely (e.g. social network service sites, wikis, etc.).
</t>
</section> <!-- Denial of Service (DoS) -->
<section anchor="sctn-sec-cons-boot" title="Bootstrap MITM Vulnerability">
<t>
The bootstrap MITM (Man-In-The-Middle) vulnerability is a
vulnerability users and HSTS Hosts encounter in the
situation where the user manually enters, or follows a link,
to a HSTS Host using a "http" URI rather than a
"https" URI. Because the UA uses an insecure
channel in the initial attempt to interact with the
specified serve, such an initial interaction is vulnerable
to various attacks <xref target="ForceHTTPS" /> .
</t>
<t>
<list style="hanging" hangIndent="7">
<t hangText="Note:">
There are various features/facilities that UA
implementations may employ in order to mitigate this
vulnerability. Please see <xref
target="sctn-ua-impl-advice"/> <xref target="sctn-ua-impl-advice"
format="title"/>. </t>
</list>
</t>
</section> <!-- sctn-sec-cons-boot -->
<section title="Network Time Attacks">
<t>
Active network attacks can subvert network time protocols
(like NTP) - making this header less effective against
clients that trust NTP and/or lack a real time
clock. Network time attacks are therefore beyond the scope
of the defense. Note that modern operating systems use NTP
by default.
</t>
</section> <!-- Network Time Attacks -->
<section anchor="sctn-sec-cons-bogus-ca"
title="Bogus Root CA Certificate Phish plus DNS Cache Poisoning Attack">
<t>
If an attacker can convince users of, say,
https://bank.example.com (which is protected by HSTS Policy),
to install their own version of a root CA certificate
purporting to be bank.example.com's CA, e.g. via a phishing
email message with a link to such a certificate -- then, if
they can perform an attack on the users' DNS, e.g. via cache
poisoning, and turn on HSTS Policy for their fake
bank.example.com site, then they have themselves some new
users.
</t>
</section> <!-- sctn-sec-cons-bogus-ca -->
</section> <!-- sctn-sec-cons -->
<section anchor="sec-iana-consid" title="IANA Considerations">
<t>
Below is the Internet Assigned Numbers Authority (IANA)
Provisional Message Header Field registration
information per <xref target="RFC3864" />.
</t>
<figure>
<artwork>
Header field name: Strict-Transport-Security
Applicable protocol: HTTP
Status: provisional
Author/Change controller: TBD
Specification document(s): this one
</artwork>
</figure>
</section> <!-- sec-iana-consid -->
</middle>
<back>
<references title="Normative References">
<!-- <xref target="I-D.draft-ietf-httpbis-p1-messaging" /> -->
<!-- &I-D.draft-ietf-httpbis-p1-messaging-15; -->
<!-- <xref target="W3C.WD-html5-20100304" /> -->
&W3C.WD-html5-20100304;
&RFC.1035; <!-- <xref target="RFC1035"/> -->
&RFC.1594; <!-- <xref target="RFC1594"/> -->
&RFC.1983; <!-- <xref target="RFC1983"/> -->
&RFC.2109; <!-- <xref target="RFC2109"/> -->
&RFC.2119; <!-- <xref target="RFC2119"/> -->
&RFC.2560; <!-- <xref target="RFC2560"/> -->
&RFC.2616; <!-- <xref target="RFC2616"/> -->
&RFC.2818; <!-- <xref target="RFC2818"/> -->
&RFC.2965; <!-- <xref target="RFC2965"/> -->
&RFC.3454; <!-- <xref target="RFC3454"/> -->
&RFC.3490; <!-- <xref target="RFC3490"/> -->
&RFC.3492; <!-- <xref target="RFC3492"/> -->
&RFC.3864; <!-- <xref target="RFC3864"/> -->
&RFC.3986; <!-- <xref target="RFC3986"/> -->
&RFC.4346; <!-- <xref target="RFC4346"/> -->
&RFC.4949; <!-- <xref target="RFC4949"/> -->
&RFC.5280; <!-- <xref target="RFC5280"/> -->
<!-- <xref target="Unicode5" /> -->
<reference anchor="Unicode5">
<front>
<title>The Unicode Standard, Version 5.0</title>
<author>
<organization>The Unicode Consortium</organization>
</author>
<date year="2007"/>
</front>
<seriesInfo name="Boston, MA, Addison-Wesley" value="ISBN 0-321-48091-0"/>
</reference>
</references>
<!-- ----------------- Informative References -------------------- -->
<references title="Informative References">
<!-- <xref target="Aircrack-ng"/> -->
<reference anchor="Aircrack-ng"
target="http://www.aircrack-ng.org/">
<front>
<title>
Aircrack-ng
</title>
<author initials="T" surname="d'Otreppe" fullname="">
<organization />
</author>
</front>
<seriesInfo name="Accessed:" value="11-Jul-2010" />
</reference>
<!-- <xref target="BeckTews09"/> -->
<reference anchor="BeckTews09"
target="http://wirelesscenter.dk/Crypt/wifi-security-attacks/Practical%20Attacks%20Against%20WEP%20and%20WPA.pdf">
<front>
<title>
Practical Attacks Against WEP and WPA
</title>
<author initials="M" surname="Beck" fullname="">
<organization />
</author>
<author initials="E" surname="Tews" fullname="">
<organization />
</author>
<date year="2009" />
</front>
<seriesInfo name="Second ACM Conference on Wireless Network Security" value="Zurich, Switzerland" />
</reference>
<!-- <xref target="Firesheep"/> -->
<reference anchor="Firesheep"
target="https://secure.wikimedia.org/wikipedia/en/wiki/Firesheep">
<front>
<title>
Firesheep
</title>
<author surname="Various" fullname="Various">
<organization />
</author>
<date year="on-going" />
</front>
<seriesInfo name="Wikipedia" value="Online" />
</reference>
<!-- <xref target="ForceHTTPS"/> -->
<reference anchor="ForceHTTPS" target="https://crypto.stanford.edu/forcehttps/">
<front>
<title>
ForceHTTPS:
Protecting High-Security Web Sites from Network
Attacks
</title>
<author initials="C" surname="Jackson" fullname="Collin Jackson">
<organization />
</author>
<author initials="A" surname="Barth" fullname="Adam Barth">
<organization />
</author>
<date month="" year="2008" />
</front>
<seriesInfo name="In Proceedings of
the 17th International World Wide Web Conference (WWW2008)" value="" />
</reference>
<!-- <xref target="GoodDhamijaEtAl05" /> -->
<reference anchor="GoodDhamijaEtAl05" target="http://people.ischool.berkeley.edu/~rachna/papers/spyware_study.pdf">
<front>
<title>
Stopping
Spyware at the Gate: A User Study of Privacy, Notice and
Spyware
</title>
<author initials="N" surname="Good" fullname="">
<organization />
</author>
<author initials="R" surname="Dhamija" fullname="">
<organization />
</author>
<author initials="J" surname="Grossklags" fullname="">
<organization />
</author>
<author initials="D" surname="Thaw" fullname="">
<organization />
</author>
<author initials="S" surname="Aronowitz" fullname="">
<organization />
</author>
<author initials="D" surname="Mulligan" fullname="">
<organization />
</author>
<author initials="J" surname="Konstan" fullname="">
<organization />
</author>
<date month="July" year="2005" />
</front>
<seriesInfo name="In Proceedings of
Symposium On Usable Privacy and Security (SOUPS)" value="Pittsburgh, PA, USA" />
</reference>
<!-- <xref target="JacksonBarth2008" /> -->
<reference anchor="JacksonBarth2008" target="http://www.adambarth.com/papers/2008/jackson-barth-b.pdf">
<front>
<title>
Beware of Finer-Grained Origins
</title>
<author initials="C" surname="Jackson" fullname="Collin Jackson">
<organization />
</author>
<author initials="A" surname="Barth" fullname="Adam Barth">
<organization />
</author>
<date year="2008" />
</front>
<seriesInfo name="Web 2.0 Security and Privacy" value="Oakland, CA, USA" />
</reference>
<!-- <xref target="RFC0793" /> -->
&RFC.793;
<!-- <xref target="RFC2396" /> -->
&RFC.2396;
<!-- <xref target="I-D.ietf-tls-ssl-version3" /> -->
<reference anchor="I-D.ietf-tls-ssl-version3" target="http://tools.ietf.org/html/draft-ietf-tls-ssl-version3-00">
<front>
<title>
The SSL Protocol Version 3.0
</title>
<author initials="A" surname="Freier" fullname="">
<organization />
</author>
<author initials="P" surname="Karlton" fullname="">
<organization />
</author>
<author initials="P" surname="Kocher" fullname="">
<organization />
</author>
<date month="November" year="1996" />
</front>
<seriesInfo name="Internet-Draft" value="draft-ietf-tls-ssl-version3" />
</reference>
<!-- <xref target="MathewsHunt08" /> --> <!-- commented out
<reference anchor="MathewsHunt08"
target="http://www.cosc.canterbury.ac.nz/moffat.mathews/papers/moffatmathews-evolution-of-wireless-security.pdf">
<front>
<title>
EVOLUTION OF WIRELESS LAN SECURITY ARCHITECTURE TO IEEE
802.11i (WPA2)
</title>
<author initials="M" surname="Mathews" fullname="">
<organization />
</author>
<author initials="R" surname="Hunt" fullname="">
<organization />
</author>
</author>
<date year="2007" />
</front>
<seriesInfo name="IASTED Communication Systems and Networks" value="Phuket, Thailand" />
</reference>
-->
<!-- <xref target="SunshineEgelmanEtAl09" /> -->
<reference anchor="SunshineEgelmanEtAl09" target="http://www.usenix.org/events/sec09/tech/full_papers/sunshine.pdf">
<front>
<title>
Crying Wolf: An Empirical Study of SSL Warning Effectiveness
</title>
<author initials="J" surname="Sunshine" fullname="">
<organization />
</author>
<author initials="S" surname="Egelman" fullname="">
<organization />
</author>
<author initials="H" surname="Almuhimedi" fullname="">
<organization />
</author>
<author initials="N" surname="Atri" fullname="">
<organization />
</author>
<author initials="L" surname="Cranor" fullname="">
<organization />
</author>
<date month="Augus" year="2009" />
</front>
<seriesInfo name="In Proceedings of
18th USENIX Security Symposium" value="Montreal, Canada" />
</reference>
<!-- <xref target="owaspTLSGuide"/> -->
<reference anchor="owaspTLSGuide"
target="http://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet">
<front>
<title>
Transport Layer Protection Cheat Sheet
</title>
<author initials="M" surname="Coates" fullname="">
<organization />
</author>
<author initials="d" surname="Wichers" fullname="">
<organization />
</author>
<author initials="M" surname="Boberski" fullname="">
<organization />
</author>
<author initials="T" surname="Reguly" fullname="">
<organization />
</author>
</front>
<seriesInfo name="Accessed:" value="11-Jul-2010" />
</reference>
<!-- <xref target="W3C.WD-wsc-ui-20100309"/> -->
&W3C.WD-wsc-ui-20100309;
<!-- <xref target="WEBSEC"/> -->
<reference anchor="WEBSEC" target="https://www.ietf.org/mailman/listinfo/websec">
<front>
<title>WebSec -- HTTP Application Security Minus Authentication and Transport</title>
<author/>
</front>
</reference>
</references>
<section anchor="design-decision-faq" title="Design Decision Notes">
<!-- <t>This appendix is non-normative.</t> -->
<t>This appendix documents various design decisions.</t>
<t>
<list style="numbers">
<t>
Cookies aren't appropriate for HSTS Policy
expression as they are potentially
mutable (while stored in the UA),
therefore an HTTP header field is employed.
</t>
<t>
We chose to not attempt to
specify how "mixed security context loads"
(aka "mixed-content loads") are
handled due to UA
implementation considerations as well as
classification difficulties.
</t>
<t>
A HSTS Host may update UA notions
of HSTS Policy via new HSTS header field
values. We chose to have UAs honor the
"freshest" information received from a server
because there is the chance of a web site sending out an
errornous HSTS Policy, such as a multi-year
max-age value, and/or an incorrect
includeSubDomains flag. If the
HSTS Host couldn't correct such errors over
protocol, it would require some form of annunciation to
users and manual intervention on their part, which could be
a non-trivial problem.
</t>
<t>
HSTS Hosts are identified only via Domain Names --
explicit IP address identification of all forms is excluded. This is for
simplification and also is in recognition of various issues with using
direct IP address identification in concert with PKI-based security.
</t>
</list>
</t>
</section> <!-- design-decision-faq -->
<section anchor="acknowledgments" title="Acknowledgments">
<!-- <t>This appendix is non-normative.</t> -->
<t>
The authors thank
Devdatta Akhawe,
Michael Barrett,
Paul Hoffman,
Yoav Nir,
Tom Ritter,
Sid Stamm,
Maciej Stachowiak,
Andy Steingrubl,
Brandon Sterne,
Martin Thomson,
Daniel Veditz,
and all the other websec working group participants
for
their review and contributions.
</t>
<t>
Thanks to Julian Reschke for his elegant re-writing of the
effective request URI text, which he did when incorporating
the ERU notion into the HTTPbis work. Subsequently, the ERU
text in this spec was lifted from Julian's work in
[I-D.draft-ietf-httpbis-p1-messaging-15] and adapted to the
<xref target="RFC2616"/> ABNF.
</t>
<!--
<t>Special thanks to ...</t>
-->
</section> <!-- acknowledgments -->
<section anchor="sctn-chg-log" title="Change Log">
<t>
[RFCEditor: please remove this section upon publication as an RFC.]
</t>
<t>
Changes are grouped by spec revision listed in reverse issuance order.
</t>
<section title="For draft-ietf-websec-strict-transport-sec">
<t>
<list>
<t>
Changes from -01 to -02:
<list style="numbers">
<t>
Updated <xref target="sctn-uri-load-port-map"/>
"<xref target="sctn-uri-load-port-map" format="title"/>"
fairly thoroughly in terms of refining the presentation of the steps,
and to ensure the various aspects of port mapping are clear.
Nominally fixes issue ticket #1
<eref target="http://trac.tools.ietf.org/wg/websec/trac/ticket/1"/>
</t>
<t>
Removed dependencies on
[I-D.draft-ietf-httpbis-p1-messaging-15]. Thus
updated STS ABNF in <xref
target="sctn-syntax-grammar"/> "<xref
target="sctn-syntax-grammar" format="title"/>"
by lifting some productions entirely from
[I-D.draft-ietf-httpbis-p1-messaging-15] and
leveraging <xref target="RFC2616"/>. Addresses
issue ticket #2
<eref target="http://trac.tools.ietf.org/wg/websec/trac/ticket/2"/>.
</t>
<t>
Updated Effective Request URI section and definition
to use language from
[I-D.draft-ietf-httpbis-p1-messaging-15] and ABNF
from <xref target="RFC2616"/>. Fixes issue ticket
#3
<eref target="http://trac.tools.ietf.org/wg/websec/trac/ticket/3"/>.
</t>
<t>
Added explicit mention that the HSTS policy applies to all TCP
ports of a host advertising the HSTS policy.
Nominally fixes issue ticket #4
<eref target="http://trac.tools.ietf.org/wg/websec/trac/ticket/4"/>
</t>
<t>
Clarified the need for the "includeSubDomains"
directive, e.g. to protect Secure-flagged domain
cookies. In <xref
target="sctn-sec-cons-includeSD"/> "<xref
target="sctn-sec-cons-includeSD" format="title"/>".
Nominally fixes issue ticket #5 <eref
target="http://trac.tools.ietf.org/wg/websec/trac/ticket/5"/>
</t>
<t>
Cited Firesheep as real-live threat
in <xref target="sctn-psv-net-atkr"/>
"<xref target="sctn-psv-net-atkr" format="title"/>".
Nominally fixes issue ticket #6
<eref target="http://trac.tools.ietf.org/wg/websec/trac/ticket/6"/>.
</t>
<t>
Added text to
<xref
target="sctn-ua-impl-advice"/> "<xref
target="sctn-ua-impl-advice" format="title"/>"
justifying connection termination due to tls warnings/errors.
Nominally fixes issue ticket #7
<eref target="http://trac.tools.ietf.org/wg/websec/trac/ticket/7"/>.
</t>
<t>
Added new subsection
<xref target="sctn-missing-hsts-header"/>
"<xref target="sctn-missing-hsts-header" format="title"/>".
Nominally fixes issue ticket #8
<eref target="http://trac.tools.ietf.org/wg/websec/trac/ticket/8"/>.
</t>
<t>
Added text to
<xref target="sctn-err-tls-estab"/>
"<xref target="sctn-err-tls-estab" format="title"/>"
explicitly note revocation check failures as errors causing connection termination.
Added references to <xref target="RFC5280"/> and <xref target="RFC2560"/>.
Nominally fixes issue ticket #9
<eref target="http://trac.tools.ietf.org/wg/websec/trac/ticket/9"/>.
</t>
<t>
Added a sentence, noting that distributing specific
end-entity certs to browsers will also work for self-signed/private-CA
cases, to
<xref target="sctn-hosting-spec-advice"/>
"<xref target="sctn-hosting-spec-advice" format="title"/>"
Nominally fixes issue ticket #10
<eref target="http://trac.tools.ietf.org/wg/websec/trac/ticket/10"/>.
</t>
<t>
Moved "with no user recourse" language from
<xref target="sctn-err-tls-estab"/>
"<xref target="sctn-err-tls-estab" format="title"/>" to
<xref target="sctn-ua-impl-advice"/>
"<xref target="sctn-ua-impl-advice" format="title"/>".
This nominally fixes issue ticket #11
<eref target="http://trac.tools.ietf.org/wg/websec/trac/ticket/11"/>.
</t>
<t>
Removed any and all dependencies on [I-D.draft-ietf-httpbis-p1-messaging-15], instead
depending on <xref target="RFC2616"/> only.
Fixes issue ticket #12
<eref target="http://trac.tools.ietf.org/wg/websec/trac/ticket/12"/>.
</t>
<t>
Removed the inline "XXX1" issue because no one had commented on it and it seems reasonable
to suggest as a SHOULD that web apps should redirect incoming insecure connections to
secure connections.
</t>
<t>
Removed the inline "XXX2" issue because it was simply for raising consciousness about
having some means for distributing secure web application metadata.
</t>
<t>
Removed "TODO1" because description prose for "max-age" in the
Note following the ABNF in <xref target="sctn-syntax"/>
seems to be fine.
</t>
<t>
Decided for "TODO2" that "the first STS header field wins". TODO2 had read:
"Decide UA behavior in face of encountering multiple HSTS headers in a message.
Use first header? Last?". Removed TODO2.
</t>
<t>
Added
<xref target="intro-organization"/>
"<xref target="intro-organization" format="title"/>"
for readers' convenience.
</t>
<t>
Moved design decision notes to be a proper appendix <xref target="design-decision-faq"/>.
</t>
</list>
</t>
<t>
Changes from -00 to -01:
<list style="numbers">
<t>
Changed the "URI Loading" section to be "URI Loading and Port Mapping".
</t>
<t>
[HASMAT] reference changed to <xref target="WEBSEC"/>.
</t>
<t>
Changed "server" -> "host" where applicable, notably when
discussing "HSTS Hosts". Left as "server" when discussing
e.g. "http server"s.
</t>
<t>
Fixed minor editorial nits.
</t>
</list>
</t>
<t>
Changes from draft-hodges-strict-transport-sec-02 to draft-ietf-websec-strict-transport-sec-00:
<list style="numbers">
<t>
Altered spec metadata (e.g. filename, date)
in order to submit as a WebSec working group Internet-Draft.
</t>
</list>
</t>
</list>
</t>
</section>
<section title="For draft-hodges-strict-transport-sec">
<t>
<list>
<t>
Changes from -01 to -02:
<list style="numbers">
<t>
updated abstract such that means for expressing HSTS
Policy other than via HSTS header field is noted.
</t>
<t>
Changed spec title to "HTTP Strict Transport
Security (HSTS)" from "Strict Transport Security".
Updated use of "STS" acronym throughout spec to HSTS
(except for when specifically discussing syntax of
Strict-Transport-Security HTTP Response Header
field), updated "Terminology"
appropriately.
</t>
<t>
Updated the discussion of "Passive Network
Attackers" to be more precise and offered
references.
</t>
<t>
Removed para on nomative/non-normative from
"Conformance Criteria" pending polishing
said section to IETF RFC norms.
</t>
<t>
Added examples subsection to "Syntax"
section.
</t>
<t>
Added OWS to maxAge production in
Strict-Transport-Security ABNF.
</t>
<t>
Cleaned up explanation in the "Note:" in
the "HTTP-over-Secure-Transport Request
Type" section, folded 3d para into
"Note:", added conformance clauses to the
latter.
</t>
<t>
Added exaplanatory "Note:" and reference
to "HTTP Request Type" section. Added
"XXX1" issue.
</t>
<t>
Added conformance clause to "URI Loading".
</t>
<t>
Moved "Notes for STS Server implementors:"
from "UA Implementation dvice " to
"HSTS Policy expiration time
considerations:" in "Server Implementation
Advice", and also noted another option.
</t>
<t>
Added cautionary "Note:" to "Ability
to delete UA's cached HSTS Policy on a per HSTS
Server basis".
</t>
<t>
Added some informative references.
</t>
<t>
Various minor editorial fixes.
</t>
</list>
</t>
<t>
Changes from -00 to -01:
<list style="numbers">
<t>
Added reference to HASMAT mailing list and request
that this spec be discussed there.
</t>
</list>
</t>
</list>
</t>
</section>
</section> <!-- Change Log -->
</back>
</rfc>
<!-- PLEASE DO NOT DELETE!!! The below is used by XEmacs XML major-mode -->
<!--
Local Variables:
mode: xml
indent-tabs-mode:nil
sgml-omittag:t
sgml-shorttag:t
sgml-namecase-general:t
sgml-general-insert-case:lower
sgml-minimize-attributes:nil
sgml-always-quote-attributes:t
sgml-indent-step:2
sgml-indent-data:t
sgml-parent-document:nil
sgml-exposed-tags:nil
sgml-local-catalogs:nil
sgml-local-ecat-files:nil
End:
-->
<!-- PLEASE DO NOT DELETE!!! The above is used by XEmacs XML major-mode -->
| PAFTECH AB 2003-2026 | 2026-04-22 22:47:58 |