tech-invite   World Map     

IETF     RFCs     Groups     SIP     ABNFs    |    3GPP     Specs     Glossaries     Architecture     IMS     UICC    |    search     info

RFC 6797

 
 
 

HTTP Strict Transport Security (HSTS)

Part 3 of 3, p. 30 to 46
Prev RFC Part

 


prevText      Top      Up      ToC       Page 30 
12.  User Agent Implementation Advice

   This section is non-normative.

   In order to provide users and web sites more effective protection, as
   well as controls for managing their UA's caching of HSTS Policy, UA
   implementers should consider including features such as the
   following:

12.1.  No User Recourse

   Failing secure connection establishment on any warnings or errors
   (per Section 8.4 ("Errors in Secure Transport Establishment")) should
   be done with "no user recourse".  This means that the user should not
   be presented with a dialog giving her the option to proceed.  Rather,
   it should be treated similarly to a server error where there is
   nothing further the user can do with respect to interacting with the
   target web application, other than wait and retry.

   Essentially, "any warnings or errors" means anything that would cause
   the UA implementation to announce to the user that something is not
   entirely correct with the connection establishment.

   Not doing this, i.e., allowing user recourse such as "clicking
   through warning/error dialogs", is a recipe for a man-in-the-middle
   attack.  If a web application issues an HSTS Policy, then it is
   implicitly opting into the "no user recourse" approach, whereby all
   certificate errors or warnings cause a connection termination, with
   no chance to "fool" users into making the wrong decision and
   compromising themselves.

12.2.  User-Declared HSTS Policy

   A user-declared HSTS Policy is the ability for users to explicitly
   declare a given domain name as representing an HSTS Host, thus
   seeding it as a Known HSTS Host before any actual interaction with
   it.  This would help protect against the bootstrap MITM vulnerability
   as discussed in Section 14.6 ("Bootstrap MITM Vulnerability").

Top      Up      ToC       Page 31 
   NOTE:  Such a feature is difficult to get right on a per-site basis.
          See the discussion of "rewrite rules" in Section 5.5 of
          [ForceHTTPS].  For example, arbitrary web sites may not
          materialize all their URIs using the "https" scheme and thus
          could "break" if a UA were to attempt to access the site
          exclusively using such URIs.  Also note that this feature
          would complement, but is independent of, an "HSTS pre-loaded
          list" feature (see Section 12.3).

12.3.  HSTS Pre-Loaded List

   An HSTS pre-loaded list is a facility whereby web site administrators
   can have UAs pre-configured with HSTS Policy for their site(s) by the
   UA vendor(s) -- a so-called "pre-loaded list" -- in a manner similar
   to how root CA certificates are embedded in browsers "at the
   factory".  This would help protect against the bootstrap MITM
   vulnerability (Section 14.6).

   NOTE:  Such a facility would complement a "user-declared HSTS Policy"
          feature (Section 12.2).

12.4.  Disallow Mixed Security Context Loads

   "Mixed security context" loads happen when a web application
   resource, fetched by the UA over a secure transport, subsequently
   causes the fetching of one or more other resources without using
   secure transport.  This is also generally referred to as "mixed
   content" loads (see Section 5.3 ("Mixed Content") in
   [W3C.REC-wsc-ui-20100812]) but should not be confused with the same
   "mixed content" term that is also used in the context of markup
   languages such as XML and HTML.

   NOTE:  In order to provide behavioral uniformity across UA
          implementations, the notion of mixed security context will
          require further standardization work, e.g., to define the
          term(s) more clearly and to define specific behaviors with
          respect to it.

12.5.  HSTS Policy Deletion

   HSTS Policy deletion is the ability to delete a UA's cached HSTS
   Policy on a per-HSTS Host basis.

   NOTE:  Adding such a feature should be done very carefully in both
          the user interface and security senses.  Deleting a cache
          entry for a Known HSTS Host should be a very deliberate and
          well-considered act -- it shouldn't be something that users
          get used to doing as a matter of course: e.g., just "clicking

Top      Up      ToC       Page 32 
          through" in order to get work done.  Also, implementations
          need to guard against allowing an attacker to inject code,
          e.g., ECMAscript, into the UA that silently and
          programmatically removes entries from the UA's cache of Known
          HSTS Hosts.

13.  Internationalized Domain Names for Applications (IDNA): Dependency
     and Migration

   Textual domain names on the modern Internet may contain one or more
   "internationalized" domain name labels.  Such domain names are
   referred to as "internationalized domain names" (IDNs).  The
   specification suites defining IDNs and the protocols for their use
   are named "Internationalized Domain Names for Applications (IDNA)".
   At this time, there are two such specification suites: IDNA2008
   [RFC5890] and its predecessor IDNA2003 [RFC3490].

   IDNA2008 obsoletes IDNA2003, but there are differences between the
   two specifications, and thus there can be differences in processing
   (e.g., converting) domain name labels that have been registered under
   one from those registered under the other.  There will be a
   transition period of some time during which IDNA2003-based domain
   name labels will exist in the wild.  In order to facilitate their
   IDNA transition, user agents SHOULD implement IDNA2008 [RFC5890] and
   MAY implement [RFC5895] (see also Section 7 of [RFC5894]) or [UTS46].
   If a user agent does not implement IDNA2008, the user agent MUST
   implement IDNA2003.

14.  Security Considerations

   This specification concerns the expression, conveyance, and
   enforcement of the HSTS Policy.  The overall HSTS Policy threat
   model, including addressed and unaddressed threats, is given in
   Section 2.3 ("Threat Model").

   Additionally, the sections below discuss operational ramifications of
   the HSTS Policy, provide feature rationale, discuss potential HSTS
   Policy misuse, and highlight some known vulnerabilities in the HSTS
   Policy regime.

14.1.  Underlying Secure Transport Considerations

   This specification is fashioned to be independent of the secure
   transport underlying HTTP.  However, the threat analysis and
   requirements in Section 2 ("Overview") in fact presume TLS or SSL as
   the underlying secure transport.  Thus, employment of HSTS in the
   context of HTTP running over some other secure transport protocol
   would require assessment of that secure transport protocol's security

Top      Up      ToC       Page 33 
   model in conjunction with the specifics of how HTTP is layered over
   it in order to assess HSTS's subsequent security properties in that
   context.

14.2.  Non-Conformant User Agent Implications

   Non-conformant user agents ignore the Strict-Transport-Security
   header field; thus, non-conformant user agents do not address the
   threats described in Section 2.3.1 ("Threats Addressed").

   This means that the web application and its users wielding
   non-conformant UAs will be vulnerable to both of the following:

   o  Passive network attacks due to web site development and deployment
      bugs:

         For example, if the web application contains any insecure
         references (e.g., "http") to the web application server, and if
         not all of its cookies are flagged as "Secure", then its
         cookies will be vulnerable to passive network sniffing and,
         potentially, subsequent misuse of user credentials.

   o  Active network attacks:

         For example, if an attacker is able to place a "man in the
         middle", secure transport connection attempts will likely yield
         warnings to the user, but without HSTS Policy being enforced,
         the present common practice is to allow the user to "click
         through" and proceed.  This renders the user and possibly the
         web application open to abuse by such an attacker.

   This is essentially the status quo for all web applications and their
   users in the absence of HSTS Policy.  Since web application providers
   typically do not control the type or version of UAs their web
   applications interact with, the implication is that HSTS Host
   deployers must generally exercise the same level of care to avoid web
   site development and deployment bugs (see Section 2.3.1.3) as they
   would if they were not asserting HSTS Policy.

14.3.  Ramifications of HSTS Policy Establishment Only over Error-Free
       Secure Transport

   The user agent processing model defined in Section 8 ("User Agent
   Processing Model") stipulates that a host is initially noted as a
   Known HSTS Host, or that updates are made to a Known HSTS Host's
   cached information, only if the UA receives the STS header field over
   a secure transport connection having no underlying secure transport
   errors or warnings.

Top      Up      ToC       Page 34 
   The rationale behind this is that if there is a "man in the middle"
   (MITM) -- whether a legitimately deployed proxy or an illegitimate
   entity -- it could cause various mischief (see also Appendix A
   ("Design Decision Notes") item 3, as well as Section 14.6 ("Bootstrap
   MITM Vulnerability")); for example:

   o  Unauthorized notation of the host as a Known HSTS Host,
      potentially leading to a denial-of-service situation if the host
      does not uniformly offer its services over secure transport (see
      also Section 14.5 ("Denial of Service")).

   o  Resetting the time to live for the host's designation as a Known
      HSTS Host by manipulating the max-age header field parameter value
      that is returned to the UA.  If max-age is returned as zero, this
      will cause the host to cease being regarded as a Known HSTS Host
      by the UA, leading to either insecure connections to the host or
      possibly denial of service if the host delivers its services only
      over secure transport.

   However, this means that if a UA is "behind" a MITM non-transparent
   TLS proxy -- within a corporate intranet, for example -- and
   interacts with an unknown HSTS Host beyond the proxy, the user could
   possibly be presented with the legacy secure connection error
   dialogs.  Even if the risk is accepted and the user "clicks through",
   the host will not be noted as an HSTS Host.  Thus, as long as the UA
   is behind such a proxy, the user will be vulnerable and will possibly
   be presented with the legacy secure connection error dialogs for
   as-yet unknown HSTS Hosts.

   Once the UA successfully connects to an unknown HSTS Host over error-
   free secure transport, the host will be noted as a Known HSTS Host.
   This will result in the failure of subsequent connection attempts
   from behind interfering proxies.

   The above discussion relates to the recommendation in Section 12
   ("User Agent Implementation Advice") that the secure connection be
   terminated with "no user recourse" whenever there are warnings and
   errors and the host is a Known HSTS Host.  Such a posture protects
   users from "clicking through" security warnings and putting
   themselves at risk.

14.4.  The Need for includeSubDomains

   Without the includeSubDomains directive, a web application would not
   be able to adequately protect so-called "domain cookies" (even if
   these cookies have their "Secure" flag set and thus are conveyed only
   on secure channels).  These are cookies the web application expects
   UAs to return to any and all subdomains of the web application.

Top      Up      ToC       Page 35 
   For example, suppose example.com represents the top-level DNS name
   for a web application.  Further suppose that this cookie is set for
   the entire example.com domain, i.e., it is a "domain cookie", and it
   has its Secure flag set.  Suppose example.com is a Known HSTS Host
   for this UA, but the includeSubDomains directive is not set.

   Now, if an attacker causes the UA to request a subdomain name that is
   unlikely to already exist in the web application, such as
   "https://uxdhbpahpdsf.example.com/", but that the attacker has
   managed to register in the DNS and point at an HTTP server under the
   attacker's control, then:

   1.  The UA is unlikely to already have an HSTS Policy established for
       "uxdhbpahpdsf.example.com".

   2.  The HTTP request sent to uxdhbpahpdsf.example.com will include
       the Secure-flagged domain cookie.

   3.  If "uxdhbpahpdsf.example.com" returns a certificate during TLS
       establishment, and the user "clicks through" any warning that
       might be presented (it is possible, but not certain, that one may
       obtain a requisite certificate for such a domain name such that a
       warning may or may not appear), then the attacker can obtain the
       Secure-flagged domain cookie that's ostensibly being protected.

   Without the "includeSubDomains" directive, HSTS is unable to protect
   such Secure-flagged domain cookies.

14.5.  Denial of Service

   HSTS could be used to mount certain forms of Denial-of-Service (DoS)
   attacks against web sites.  A DoS attack is an attack in which one or
   more network entities target a victim entity and attempt to prevent
   the victim from doing useful work.  This section discusses such
   scenarios in terms of HSTS, though this list is not exhaustive.  See
   also [RFC4732] for a discussion of overall Internet DoS
   considerations.

   o  Web applications available over HTTP

      There is an opportunity for perpetrating DoS attacks with web
      applications (or critical portions of them) that are available
      only over HTTP without secure transport, if attackers can cause
      UAs to set HSTS Policy for such web applications' host(s).

      This is because once the HSTS Policy is set for a web
      application's host in a UA, the UA will only use secure transport
      to communicate with the host.  If the host is not using secure

Top      Up      ToC       Page 36 
      transport or is not using it for critical portions of its web
      application, then the web application will be rendered unusable
      for the UA's user.

      NOTE:  This is a use case for UAs to offer an "HSTS Policy
             deletion" feature as noted in Section 12.5 ("HSTS Policy
             Deletion").

      An HSTS Policy can be set for a victim host in various ways:

      *  If the web application has an HTTP response splitting
         vulnerability [CWE-113] (which can be abused in order to
         facilitate "HTTP header injection").

      *  If an attacker can spoof a redirect from an insecure victim
         site, e.g., <http://example.com/> to <https://example.com/>,
         where the latter is attacker-controlled and has an apparently
         valid certificate.  In this situation, the attacker can then
         set an HSTS Policy for example.com and also for all subdomains
         of example.com.

      *  If an attacker can convince users to manually configure HSTS
         Policy for a victim host.  This assumes that their UAs offer
         such a capability (see Section 12 ("User Agent Implementation
         Advice")).  Alternatively, if such UA configuration is
         scriptable, then an attacker can cause UAs to execute his
         script and set HSTS Policies for whichever desired domains.

   o  Inadvertent use of includeSubDomains

      The includeSubDomains directive instructs UAs to automatically
      regard all subdomains of the given HSTS Host as Known HSTS Hosts.
      If any such subdomains do not support properly configured secure
      transport, then they will be rendered unreachable from such UAs.

14.6.  Bootstrap MITM Vulnerability

   Bootstrap MITM (man-in-the-middle) vulnerability is a vulnerability
   that users and HSTS Hosts encounter in the situation where the user
   manually enters, or follows a link, to an unknown HSTS Host using an
   "http" URI rather than an "https" URI.  Because the UA uses an
   insecure channel in the initial attempt to interact with the
   specified server, such an initial interaction is vulnerable to
   various attacks (see Section 5.3 of [ForceHTTPS]).

   NOTE:  There are various features/facilities that UA implementations
          may employ in order to mitigate this vulnerability.  Please
          see Section 12 ("User Agent Implementation Advice").

Top      Up      ToC       Page 37 
14.7.  Network Time Attacks

   Active network attacks can subvert network time protocols (such as
   the Network Time Protocol (NTP) [RFC5905]) -- making HSTS less
   effective against clients that trust NTP or lack a real time clock.
   Network time attacks are beyond the scope of this specification.
   Note that modern operating systems use NTP by default.  See also
   Section 2.10 of [RFC4732].

14.8.  Bogus Root CA Certificate Phish plus DNS Cache Poisoning Attack

   An attacker could conceivably obtain users' login credentials
   belonging to a victim HSTS-protected web application via a bogus root
   CA certificate phish plus DNS cache poisoning attack.

   For example, the attacker could first convince users of a victim web
   application (which is protected by HSTS Policy) to install the
   attacker's version of a root CA certificate purporting (falsely) to
   represent the CA of the victim web application.  This might be
   accomplished by sending the users a phishing email message with a
   link to such a certificate, which their browsers may offer to install
   if clicked on.

   Then, if the attacker can perform an attack on the users' DNS
   servers, (e.g., via cache poisoning) and turn on HSTS Policy for
   their fake web application, the affected users' browsers would access
   the attacker's web application rather than the legitimate web
   application.

   This type of attack leverages vectors that are outside of the scope
   of HSTS.  However, the feasibility of such threats can be mitigated
   by including in a web application's overall deployment approach
   appropriate employment, in addition to HSTS, of security facilities
   such as DNS Security Extensions [RFC4033], plus techniques to block
   email phishing and fake certificate injection.

14.9.  Creative Manipulation of HSTS Policy Store

   Since an HSTS Host may select its own host name and subdomains
   thereof, and this information is cached in the HSTS Policy store of
   conforming UAs, it is possible for those who control one or more HSTS
   Hosts to encode information into domain names they control and cause
   such UAs to cache this information as a matter of course in the
   process of noting the HSTS Host.  This information can be retrieved
   by other hosts through cleverly constructed and loaded web resources,
   causing the UA to send queries to (variations of) the encoded domain
   names.  Such queries can reveal whether the UA had previously visited
   the original HSTS Host (and subdomains).

Top      Up      ToC       Page 38 
   Such a technique could potentially be abused as yet another form of
   "web tracking" [WebTracking].

14.10.  Internationalized Domain Names

   Internet security relies in part on the DNS and the domain names it
   hosts.  Domain names are used by users to identify and connect to
   Internet hosts and other network resources.  For example, Internet
   security is compromised if a user entering an internationalized
   domain name (IDN) is connected to different hosts based on different
   interpretations of the IDN.

   The processing models specified in this specification assume that the
   domain names they manipulate are IDNA-canonicalized, and that the
   canonicalization process correctly performed all appropriate IDNA and
   Unicode validations and character list testing per the requisite
   specifications (e.g., as noted in Section 10 ("Domain Name IDNA-
   Canonicalization")).  These steps are necessary in order to avoid
   various potentially compromising situations.

   In brief, examples of issues that could stem from lack of careful and
   consistent Unicode and IDNA validations include unexpected processing
   exceptions, truncation errors, and buffer overflows, as well as
   false-positive and/or false-negative domain name matching results.
   Any of the foregoing issues could possibly be leveraged by attackers
   in various ways.

   Additionally, IDNA2008 [RFC5890] differs from IDNA2003 [RFC3490] in
   terms of disallowed characters and character mapping conventions.
   This situation can also lead to false-positive and/or false-negative
   domain name matching results, resulting in, for example, users
   possibly communicating with unintended hosts or not being able to
   reach intended hosts.

   For details, refer to the Security Considerations sections of
   [RFC5890], [RFC5891], and [RFC3490], as well as the specifications
   they normatively reference.  Additionally, [RFC5894] provides
   detailed background and rationale for IDNA2008 in particular, as well
   as IDNA and its issues in general, and should be consulted in
   conjunction with the former specifications.

Top      Up      ToC       Page 39 
15.  IANA Considerations

   Below is the Internet Assigned Numbers Authority (IANA) Permanent
   Message Header Field registration information per [RFC3864].

     Header field name:           Strict-Transport-Security
     Applicable protocol:         http
     Status:                      standard
     Author/Change controller:    IETF
     Specification document(s):   this one

16.  References

16.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC2616]  Fielding, R., Gettys, J., Mogul, J., Frystyk, H.,
              Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext
              Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999.

   [RFC2818]  Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000.

   [RFC3490]  Faltstrom, P., Hoffman, P., and A. Costello,
              "Internationalizing Domain Names in Applications (IDNA)",
              RFC 3490, March 2003.

   [RFC3864]  Klyne, G., Nottingham, M., and J. Mogul, "Registration
              Procedures for Message Header Fields", BCP 90, RFC 3864,
              September 2004.

   [RFC3986]  Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
              Resource Identifier (URI): Generic Syntax", STD 66,
              RFC 3986, January 2005.

   [RFC5246]  Dierks, T. and E. Rescorla, "The Transport Layer Security
              (TLS) Protocol Version 1.2", RFC 5246, August 2008.

   [RFC5890]  Klensin, J., "Internationalized Domain Names for
              Applications (IDNA): Definitions and Document Framework",
              RFC 5890, August 2010.

   [RFC5891]  Klensin, J., "Internationalized Domain Names in
              Applications (IDNA): Protocol", RFC 5891, August 2010.

Top      Up      ToC       Page 40 
   [RFC5895]  Resnick, P. and P. Hoffman, "Mapping Characters for
              Internationalized Domain Names in Applications
              (IDNA) 2008", RFC 5895, September 2010.

   [RFC6698]  Hoffman, P. and J. Schlyter, "The DNS-Based Authentication
              of Named Entities (DANE) Transport Layer Security (TLS)
              Protocol: TLSA", RFC 6698, August 2012.

   [UTS46]    Davis, M. and M. Suignard, "Unicode IDNA Compatibility
              Processing", Unicode Technical Standard #46,
              <http://unicode.org/reports/tr46/>.

   [Unicode]  The Unicode Consortium, "The Unicode Standard",
              <http://www.unicode.org/versions/latest/>.

   [W3C.REC-html401-19991224]
              Raggett, D., Le Hors, A., and I. Jacobs, "HTML 4.01
              Specification", World Wide Web Consortium Recommendation
              REC-html401-19991224, December 1999,
              <http://www.w3.org/TR/1999/REC-html401-19991224/>.

16.2.  Informative References

   [Aircrack-ng]
              d'Otreppe, T., "Aircrack-ng", Accessed: 11-Jul-2010,
              <http://www.aircrack-ng.org/>.

   [BeckTews09]
              Beck, M. and E. Tews, "Practical Attacks Against WEP and
              WPA", Second ACM Conference on Wireless Network
              Security Zurich, Switzerland, 2009,
              <http://dl.acm.org/citation.cfm?id=1514286>.

   [CWE-113]  "CWE-113: Improper Neutralization of CRLF Sequences in
              HTTP Headers ('HTTP Response Splitting')", Common Weakness
              Enumeration <http://cwe.mitre.org/>, The Mitre
              Corporation <http://www.mitre.org/>,
              <http://cwe.mitre.org/data/definitions/113.html>.

   [Firesheep]
              Various, "Firesheep", Wikipedia Online, ongoing, <https://
              secure.wikimedia.org/wikipedia/en/w/
              index.php?title=Firesheep&oldid=517474182>.

Top      Up      ToC       Page 41 
   [ForceHTTPS]
              Jackson, C. and A. Barth, "ForceHTTPS:  Protecting High-
              Security Web Sites from Network Attacks", In Proceedings
              of the 17th International World Wide Web Conference
              (WWW2008) , 2008,
              <https://crypto.stanford.edu/forcehttps/>.

   [GoodDhamijaEtAl05]
              Good, N., Dhamija, R., Grossklags, J., Thaw, D.,
              Aronowitz, S., Mulligan, D., and J. Konstan, "Stopping
              Spyware at the Gate: A User Study of Privacy, Notice and
              Spyware", In Proceedings of Symposium On Usable Privacy
              and Security (SOUPS) Pittsburgh, PA, USA, July 2005,
              <http://www.law.berkeley.edu/files/
              Spyware_at_the_Gate.pdf>.

   [HTTP1_1-UPD]
              Fielding, R., Ed., and J. Reschke, Ed., "Hypertext
              Transfer Protocol (HTTP/1.1): Message Syntax and Routing",
              Work in Progress, October 2012.

   [JacksonBarth2008]
              Jackson, C. and A. Barth, "Beware of Finer-Grained
              Origins", Web 2.0 Security and Privacy Workshop, Oakland,
              CA, USA, 2008,
              <http://seclab.stanford.edu/websec/origins/fgo.pdf>.

   [OWASP-TLSGuide]
              Coates, M., Wichers, D., Boberski, M., and T. Reguly,
              "Transport Layer Protection Cheat Sheet",
              Accessed: 11-Jul-2010, <http://www.owasp.org/index.php/
              Transport_Layer_Protection_Cheat_Sheet>.

   [RFC1035]  Mockapetris, P., "Domain names - implementation and
              specification", STD 13, RFC 1035, November 1987.

   [RFC2560]  Myers, M., Ankney, R., Malpani, A., Galperin, S., and C.
              Adams, "X.509 Internet Public Key Infrastructure Online
              Certificate Status Protocol - OCSP", RFC 2560, June 1999.

   [RFC4033]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
              Rose, "DNS Security Introduction and Requirements",
              RFC 4033, March 2005.

   [RFC4732]  Handley, M., Rescorla, E., and IAB, "Internet Denial-of-
              Service Considerations", RFC 4732, December 2006.

Top      Up      ToC       Page 42 
   [RFC4949]  Shirey, R., "Internet Security Glossary, Version 2",
              RFC 4949, August 2007.

   [RFC5226]  Narten, T. and H. Alvestrand, "Guidelines for Writing an
              IANA Considerations Section in RFCs", BCP 26, RFC 5226,
              May 2008.

   [RFC5280]  Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
              Housley, R., and W. Polk, "Internet X.509 Public Key
              Infrastructure Certificate and Certificate Revocation List
              (CRL) Profile", RFC 5280, May 2008.

   [RFC5894]  Klensin, J., "Internationalized Domain Names for
              Applications (IDNA): Background, Explanation, and
              Rationale", RFC 5894, August 2010.

   [RFC5905]  Mills, D., Martin, J., Burbank, J., and W. Kasch, "Network
              Time Protocol Version 4: Protocol and Algorithms
              Specification", RFC 5905, June 2010.

   [RFC6066]  Eastlake, D., "Transport Layer Security (TLS) Extensions:
              Extension Definitions", RFC 6066, January 2011.

   [RFC6101]  Freier, A., Karlton, P., and P. Kocher, "The Secure
              Sockets Layer (SSL) Protocol Version 3.0", RFC 6101,
              August 2011.

   [RFC6125]  Saint-Andre, P. and J. Hodges, "Representation and
              Verification of Domain-Based Application Service Identity
              within Internet Public Key Infrastructure Using X.509
              (PKIX) Certificates in the Context of Transport Layer
              Security (TLS)", RFC 6125, March 2011.

   [RFC6265]  Barth, A., "HTTP State Management Mechanism", RFC 6265,
              April 2011.

   [RFC6454]  Barth, A., "The Web Origin Concept", RFC 6454,
              December 2011.

   [SunshineEgelmanEtAl09]
              Sunshine, J., Egelman, S., Almuhimedi, H., Atri, N., and
              L. Cranor, "Crying Wolf: An Empirical Study of SSL Warning
              Effectiveness", In Proceedings of 18th USENIX Security
              Symposium Montreal, Canada, August 2009, <http://
              www.usenix.org/events/sec09/tech/full_papers/
              sunshine.pdf>.

Top      Up      ToC       Page 43 
   [W3C.REC-wsc-ui-20100812]
              Roessler, T. and A. Saldhana, "Web Security Context: User
              Interface Guidelines", World Wide Web Consortium
              Recommendation REC-wsc-ui-20100812, August 2010,
              <http://www.w3.org/TR/2010/REC-wsc-ui-20100812>.

   [WebTracking]
              Schmucker, N., "Web Tracking", SNET2 Seminar Paper
              - Summer Term, 2011, <http://www.snet.tu-berlin.de/
              fileadmin/fg220/courses/SS11/snet-project/
              web-tracking_schmuecker.pdf>.

Top      Up      ToC       Page 44 
Appendix A.  Design Decision Notes

   This appendix documents various design decisions.

   1.  Cookies aren't appropriate for HSTS Policy expression, as they
       are potentially mutable (while stored in the UA); therefore, an
       HTTP header field is employed.

   2.  We chose to not attempt to specify how "mixed security context
       loads" (also known as "mixed content loads") are handled, due to
       UA implementation considerations as well as classification
       difficulties.

   3.  An HSTS Host may update UA notions of HSTS Policy via new HSTS
       header field parameter values.  We chose to have UAs honor the
       "freshest" information received from a server because there is
       the chance of a web site sending out an erroneous HSTS Policy,
       such as a multi-year max-age value, and/or an incorrect
       includeSubDomains directive.  If the HSTS Host couldn't correct
       such errors over protocol, it would require some form of
       annunciation to users and manual intervention on the users' part,
       which could be a non-trivial problem for both web application
       providers and their users.

   4.  HSTS Hosts are identified only via domain names -- explicit IP
       address identification of all forms is excluded.  This is for
       simplification and also is in recognition of various issues with
       using direct IP address identification in concert with PKI-based
       security.

   5.  The max-age approach of having the HSTS Host provide a simple
       integer number of seconds for a cached HSTS Policy time-to-live
       value, as opposed to an approach of stating an expiration time in
       the future, was chosen for various reasons.  Amongst the reasons
       are no need for clock synchronization, no need to define date and
       time value syntaxes (specification simplicity), and
       implementation simplicity.

   6.  In determining whether port mapping was to be employed, the
       option of merely refusing to dereference any URL with an explicit
       port was considered.  It was felt, though, that the possibility
       that the URI to be dereferenced is incorrect (and there is indeed
       a valid HTTPS server at that port) is worth the small cost of
       possibly wasted HTTPS fetches to HTTP servers.

Top      Up      ToC       Page 45 
Appendix B.  Differences between HSTS Policy and Same-Origin Policy

   HSTS Policy has the following primary characteristics:

      HSTS Policy stipulates requirements for the security
      characteristics of UA-to-host connection establishment, on a
      per-host basis.

      Hosts explicitly declare HSTS Policy to UAs.  Conformant UAs are
      obliged to implement hosts' declared HSTS Policies.

      HSTS Policy is conveyed over protocol from the host to the UA.

      The UA maintains a cache of Known HSTS Hosts.

      UAs apply HSTS Policy whenever making an HTTP connection to a
      Known HSTS Host, regardless of host port number; i.e., it applies
      to all ports on a Known HSTS Host.  Hosts are unable to affect
      this aspect of HSTS Policy.

      Hosts may optionally declare that their HSTS Policy applies to all
      subdomains of their host domain name.

   In contrast, the Same-Origin Policy (SOP) [RFC6454] has the following
   primary characteristics:

      An origin is the scheme, host, and port of a URI identifying a
      resource.

      A UA may dereference a URI, thus loading a representation of the
      resource the URI identifies.  UAs label resource representations
      with their origins, which are derived from their URIs.

      The SOP refers to a collection of principles, implemented within
      UAs, governing the isolation of and communication between resource
      representations within the UA, as well as resource
      representations' access to network resources.

   In summary, although both HSTS Policy and SOP are enforced by UAs,
   HSTS Policy is optionally declared by hosts and is not origin-based,
   while the SOP applies to all resource representations loaded from all
   hosts by conformant UAs.

Top      Up      ToC       Page 46 
Appendix C.  Acknowledgments

   The authors thank Devdatta Akhawe, Michael Barrett, Ben Campbell,
   Tobias Gondrom, Paul Hoffman, Murray Kucherawy, Barry Leiba, James
   Manger, Alexey Melnikov, Haevard Molland, Yoav Nir, Yngve N.
   Pettersen, Laksh Raghavan, Marsh Ray, Julian Reschke, Eric Rescorla,
   Tom Ritter, Peter Saint-Andre, Brian Smith, Robert Sparks, Maciej
   Stachowiak, Sid Stamm, Andy Steingrubl, Brandon Sterne, Martin
   Thomson, Daniel Veditz, and Jan Wrobel, as well as all the websec
   working group participants and others for their various reviews and
   helpful contributions.

   Thanks to Julian Reschke for his elegant rewriting of the effective
   request URI text, which he did when incorporating the ERU notion into
   the updates to HTTP/1.1 [HTTP1_1-UPD].  Subsequently, the ERU text in
   this spec was lifted from Julian's work in the updated HTTP/1.1
   (part 1) specification and adapted to the [RFC2616] ABNF.

Authors' Addresses

   Jeff Hodges
   PayPal
   2211 North First Street
   San Jose, California  95131
   US

   EMail: Jeff.Hodges@PayPal.com


   Collin Jackson
   Carnegie Mellon University

   EMail: collin.jackson@sv.cmu.edu


   Adam Barth
   Google, Inc.

   EMail: ietf@adambarth.com
   URI:   http://www.adambarth.com/