![(please configure the [header_logo] section in trac.ini)](https://www.ietf.org/images/ietflogotrans.gif)
Opened 11 years ago
Closed 10 years ago
#5 closed defect (fixed)
Clarify need for IncludeSubDomains
| Reported by: | jeff.hodges@… | Owned by: | =JeffH |
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | strict-transport-sec | Version: | |
| Severity: | - | Keywords: | |
| Cc: |
Description
Yes, this is an unfortunate consequence of the way cookies work.
Suppose you wanted to protect the confidentiality of a Secure cookie
(i.e., a cookie with the Secure flag set), which, actually, is the
primary use case for the header. Further suppose that this cookie is
a domain cookie (e.g., set for the entire example.com domain). Now,
if the attacker causes the browser to request
https://aiodsfnuiasnis.example.com/, then:
1) We're unlikely to have the HSTS policy bit for aiodsfnuiasnis.example.com.
2) The request for https://aiodsfnuiasnis.example.com will include the
Secure cookie.
If the attacker then substitutes his certificate, the user will be
able to click through the certificate error, which lets the attacker
obtain the cookie we're trying to protect.
If we remove the "includeSubDomains" directive, that means sites can't
use HSTS to protect domain cookies.
Change History (2)
comment:1 Changed 11 years ago by jeff.hodges@…
comment:2 Changed 10 years ago by jeff.hodges@…
- Resolution set to fixed
- Status changed from new to closed
the above is quoted from this message...
Re: [HASMAT] strict transport security
http://www.ietf.org/mail-archive/web/hasmat/current/msg00071.html