Tech-invite3GPPspaceIETFspace
96959493929190898887868584838281807978777675747372717069686766656463626160595857565554535251504948474645444342414039383736353433323130292827262524232221201918171615141312111009080706050403020100
in Index   Prev   Next

RFC 6797

HTTP Strict Transport Security (HSTS)

Pages: 46
Proposed Standard
Errata
Part 1 of 3 – Pages 1 to 14
None   None   Next

Top   ToC   RFC6797 - Page 1
Internet Engineering Task Force (IETF)                         J. Hodges
Request for Comments: 6797                                        PayPal
Category: Standards Track                                     C. Jackson
ISSN: 2070-1721                               Carnegie Mellon University
                                                                A. Barth
                                                            Google, Inc.
                                                           November 2012


                 HTTP Strict Transport Security (HSTS)

Abstract

This specification defines a mechanism enabling web sites to declare themselves accessible only via secure connections and/or for users to be able to direct their user agent(s) to interact with given sites only over secure connections. This overall policy is referred to as HTTP Strict Transport Security (HSTS). The policy is declared by web sites via the Strict-Transport-Security HTTP response header field and/or by other means, such as user agent configuration, for example. Status of This Memo This is an Internet Standards Track document. This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 5741. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc6797.
Top   ToC   RFC6797 - Page 2
Copyright Notice

   Copyright (c) 2012 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

1. Introduction ....................................................4 1.1. Organization of This Specification .........................6 1.2. Document Conventions .......................................6 2. Overview ........................................................6 2.1. Use Cases ..................................................6 2.2. HTTP Strict Transport Security Policy Effects ..............6 2.3. Threat Model ...............................................6 2.3.1. Threats Addressed ...................................7 2.3.1.1. Passive Network Attackers ..................7 2.3.1.2. Active Network Attackers ...................7 2.3.1.3. Web Site Development and Deployment Bugs ...8 2.3.2. Threats Not Addressed ...............................8 2.3.2.1. Phishing ...................................8 2.3.2.2. Malware and Browser Vulnerabilities ........8 2.4. Requirements ...............................................9 2.4.1. Overall Requirement .................................9 2.4.1.1. Detailed Core Requirements .................9 2.4.1.2. Detailed Ancillary Requirements ...........10 3. Conformance Criteria ...........................................10 4. Terminology ....................................................11 5. HSTS Mechanism Overview ........................................13 5.1. HSTS Host Declaration .....................................13 5.2. HSTS Policy ...............................................13 5.3. HSTS Policy Storage and Maintenance by User Agents ........14 5.4. User Agent HSTS Policy Enforcement ........................14 6. Syntax .........................................................14 6.1. Strict-Transport-Security HTTP Response Header Field ......15 6.1.1. The max-age Directive ..............................16 6.1.2. The includeSubDomains Directive ....................16 6.2. Examples ..................................................16
Top   ToC   RFC6797 - Page 3
   7. Server Processing Model ........................................17
      7.1. HTTP-over-Secure-Transport Request Type ...................17
      7.2. HTTP Request Type .........................................18
   8. User Agent Processing Model ....................................18
      8.1. Strict-Transport-Security Response Header Field
           Processing ................................................19
           8.1.1. Noting an HSTS Host - Storage Model ................20
      8.2. Known HSTS Host Domain Name Matching ......................20
      8.3. URI Loading and Port Mapping ..............................21
      8.4. Errors in Secure Transport Establishment ..................22
      8.5. HTTP-Equiv <Meta> Element Attribute .......................22
      8.6. Missing Strict-Transport-Security Response Header Field ...23
   9. Constructing an Effective Request URI ..........................23
      9.1. ERU Fundamental Definitions ...............................23
      9.2. Determining the Effective Request URI .....................24
           9.2.1. Effective Request URI Examples .....................24
   10. Domain Name IDNA-Canonicalization .............................25
   11. Server Implementation and Deployment Advice ...................26
      11.1. Non-Conformant User Agent Considerations .................26
      11.2. HSTS Policy Expiration Time Considerations ...............26
      11.3. Using HSTS in Conjunction with Self-Signed Public-Key
            Certificates .............................................27
      11.4. Implications of includeSubDomains ........................28
            11.4.1. Considerations for Offering Unsecured HTTP
                    Services at Alternate Ports or Subdomains of an
                    HSTS Host ........................................28
            11.4.2. Considerations for Offering Web Applications at
                    Subdomains of an HSTS Host .......................29
   12. User Agent Implementation Advice ..............................30
      12.1. No User Recourse .........................................30
      12.2. User-Declared HSTS Policy ................................30
      12.3. HSTS Pre-Loaded List .....................................31
      12.4. Disallow Mixed Security Context Loads ....................31
      12.5. HSTS Policy Deletion .....................................31
   13. Internationalized Domain Names for Applications (IDNA):
       Dependency and Migration ......................................32
Top   ToC   RFC6797 - Page 4
   14. Security Considerations .......................................32
      14.1. Underlying Secure Transport Considerations ...............32
      14.2. Non-Conformant User Agent Implications ...................33
      14.3. Ramifications of HSTS Policy Establishment Only over
            Error-Free Secure Transport ..............................33
      14.4. The Need for includeSubDomains ...........................34
      14.5. Denial of Service ........................................35
      14.6. Bootstrap MITM Vulnerability .............................36
      14.7. Network Time Attacks .....................................37
      14.8. Bogus Root CA Certificate Phish plus DNS Cache
            Poisoning Attack .........................................37
      14.9. Creative Manipulation of HSTS Policy Store ...............37
      14.10. Internationalized Domain Names ..........................38
   15. IANA Considerations ...........................................39
   16. References ....................................................39
      16.1. Normative References .....................................39
      16.2. Informative References ...................................40
   Appendix A. Design Decision Notes .................................44
   Appendix B. Differences between HSTS Policy and Same-Origin
               Policy ................................................45
   Appendix C. Acknowledgments .......................................46

1. Introduction

HTTP [RFC2616] may be used over various transports, typically the Transmission Control Protocol (TCP). However, TCP does not provide channel integrity protection, confidentiality, or secure host identification. Thus, the Secure Sockets Layer (SSL) protocol [RFC6101] and its successor, Transport Layer Security (TLS) [RFC5246] were developed in order to provide channel-oriented security and are typically layered between application protocols and TCP. [RFC2818] specifies how HTTP is layered onto TLS and defines the Uniform Resource Identifier (URI) scheme of "https" (in practice, however, HTTP user agents (UAs) typically use either TLS or SSL3, depending upon a combination of negotiation with the server and user preferences). UAs employ various local security policies with respect to the characteristics of their interactions with web resources, depending on (in part) whether they are communicating with a given web resource's host using HTTP or HTTP-over-Secure-Transport. For example, cookies ([RFC6265]) may be flagged as Secure. UAs are to send such Secure cookies to their addressed host only over a secure transport. This is in contrast to non-Secure cookies, which are returned to the host regardless of transport (although subject to other rules).
Top   ToC   RFC6797 - Page 5
   UAs typically announce to their users any issues with secure
   connection establishment, such as being unable to validate a TLS
   server certificate trust chain, or if a TLS server certificate is
   expired, or if a TLS host's domain name appears incorrectly in the
   TLS server certificate (see Section 3.1 of [RFC2818]).  Often, UAs
   enable users to elect to continue to interact with a web resource's
   host in the face of such issues.  This behavior is sometimes referred
   to as "click(ing) through" security [GoodDhamijaEtAl05]
   [SunshineEgelmanEtAl09]; thus, it can be described as "click-through
   insecurity".

   A key vulnerability enabled by click-through insecurity is the
   leaking of any cookies the web resource may be using to manage a
   user's session.  The threat here is that an attacker could obtain the
   cookies and then interact with the legitimate web resource while
   impersonating the user.

   Jackson and Barth proposed an approach, in [ForceHTTPS], to enable
   web resources to declare that any interactions by UAs with the web
   resource must be conducted securely and that any issues with
   establishing a secure transport session are to be treated as fatal
   and without direct user recourse.  The aim is to prevent click-
   through insecurity and address other potential threats.

   This specification embodies and refines the approach proposed in
   [ForceHTTPS].  For example, rather than using a cookie to convey
   policy from a web resource's host to a UA, it defines an HTTP
   response header field for this purpose.  Additionally, a web
   resource's host may declare its policy to apply to the entire domain
   name subtree rooted at its host name.  This enables HTTP Strict
   Transport Security (HSTS) to protect so-called "domain cookies",
   which are applied to all subdomains of a given web resource's host
   name.

   This specification also incorporates notions from [JacksonBarth2008]
   in that policy is applied on an "entire-host" basis: it applies to
   HTTP (only) over any TCP port of the issuing host.

   Note that the policy defined by this specification is distinctly
   different than the "same-origin policy" defined in "The Web Origin
   Concept" [RFC6454].  These differences are summarized in Appendix B.
Top   ToC   RFC6797 - Page 6

1.1. Organization of This Specification

This specification begins with an overview of the use cases, policy effects, threat models, and requirements for HSTS (in Section 2). Then, Section 3 defines conformance requirements. Section 4 defines terminology relevant to this document. The HSTS mechanism itself is formally specified in Sections 5 through 15.

1.2. Document Conventions

NOTE: This is a note to the reader. These are points that should be expressly kept in mind and/or considered.

2. Overview

This section discusses the use cases, summarizes the HSTS Policy, and continues with a discussion of the threat model, non-addressed threats, and derived requirements.

2.1. Use Cases

The high-level use case is a combination of: o Web browser user wishes to interact with various web sites (some arbitrary, some known) in a secure fashion. o Web site deployer wishes to offer their site in an explicitly secure fashion for their own, as well as their users', benefit.

2.2. HTTP Strict Transport Security Policy Effects

The effects of the HSTS Policy, as applied by a conformant UA in interactions with a web resource host wielding such policy (known as an HSTS Host), are summarized as follows: 1. UAs transform insecure URI references to an HSTS Host into secure URI references before dereferencing them. 2. The UA terminates any secure transport connection attempts upon any and all secure transport errors or warnings.

2.3. Threat Model

HSTS is concerned with three threat classes: passive network attackers, active network attackers, and imperfect web developers. However, it is explicitly not a remedy for two other classes of threats: phishing and malware. Threats that are addressed, as well as threats that are not addressed, are briefly discussed below.
Top   ToC   RFC6797 - Page 7
   Readers may wish to refer to Section 2 of [ForceHTTPS] for details as
   well as relevant citations.

2.3.1. Threats Addressed

2.3.1.1. Passive Network Attackers
When a user browses the web on a local wireless network (e.g., an 802.11-based wireless local area network) a nearby attacker can possibly eavesdrop on the user's unencrypted Internet Protocol-based connections, such as HTTP, regardless of whether or not the local wireless network itself is secured [BeckTews09]. Freely available wireless sniffing toolkits (e.g., [Aircrack-ng]) enable such passive eavesdropping attacks, even if the local wireless network is operating in a secure fashion. A passive network attacker using such tools can steal session identifiers/cookies and hijack the user's web session(s) by obtaining cookies containing authentication credentials [ForceHTTPS]. For example, there exist widely available tools, such as Firesheep (a web browser extension) [Firesheep], that enable their wielder to obtain other local users' session cookies for various web applications. To mitigate such threats, some web sites support, but usually do not force, access using end-to-end secure transport -- e.g., signaled through URIs constructed with the "https" scheme [RFC2818]. This can lead users to believe that accessing such services using secure transport protects them from passive network attackers. Unfortunately, this is often not the case in real-world deployments, as session identifiers are often stored in non-Secure cookies to permit interoperability with versions of the service offered over insecure transport ("Secure cookies" are those cookies containing the "Secure" attribute [RFC6265]). For example, if the session identifier for a web site (an email service, say) is stored in a non-Secure cookie, it permits an attacker to hijack the user's session if the user's UA makes a single insecure HTTP request to the site.
2.3.1.2. Active Network Attackers
A determined attacker can mount an active attack, either by impersonating a user's DNS server or, in a wireless network, by spoofing network frames or offering a similarly named evil twin access point. If the user is behind a wireless home router, an attacker can attempt to reconfigure the router using default passwords and other vulnerabilities. Some sites, such as banks, rely on end-to-end secure transport to protect themselves and their users from such active attackers. Unfortunately, browsers allow their users to easily opt out of these protections in order to be usable
Top   ToC   RFC6797 - Page 8
   for sites that incorrectly deploy secure transport, for example by
   generating and self-signing their own certificates (without also
   distributing their certification authority (CA) certificate to their
   users' browsers).

2.3.1.3. Web Site Development and Deployment Bugs
The security of an otherwise uniformly secure site (i.e., all of its content is materialized via "https" URIs) can be compromised completely by an active attacker exploiting a simple mistake, such as the loading of a cascading style sheet or a SWF (Shockwave Flash) movie over an insecure connection (both cascading style sheets and SWF movies can script the embedding page, to the surprise of many web developers, plus some browsers do not issue so-called "mixed content warnings" when SWF files are embedded via insecure connections). Even if the site's developers carefully scrutinize their login page for "mixed content", a single insecure embedding anywhere on the overall site compromises the security of their login page because an attacker can script (i.e., control) the login page by injecting code (e.g., a script) into another, insecurely loaded, site page. NOTE: "Mixed content" as used above (see also Section 5.3 in [W3C.REC-wsc-ui-20100812]) refers to the notion termed "mixed security context" in this specification and should not be confused with the same "mixed content" term used in the context of markup languages such as XML and HTML.

2.3.2. Threats Not Addressed

2.3.2.1. Phishing
Phishing attacks occur when an attacker solicits authentication credentials from the user by hosting a fake site located on a different domain than the real site, perhaps driving traffic to the fake site by sending a link in an email message. Phishing attacks can be very effective because users find it difficult to distinguish the real site from a fake site. HSTS is not a defense against phishing per se; rather, it complements many existing phishing defenses by instructing the browser to protect session integrity and long-lived authentication tokens [ForceHTTPS].
2.3.2.2. Malware and Browser Vulnerabilities
Because HSTS is implemented as a browser security mechanism, it relies on the trustworthiness of the user's system to protect the session. Malicious code executing on the user's system can compromise a browser session, regardless of whether HSTS is used.
Top   ToC   RFC6797 - Page 9

2.4. Requirements

This section identifies and enumerates various requirements derived from the use cases and the threats discussed above and also lists the detailed core requirements that HTTP Strict Transport Security addresses, as well as ancillary requirements that are not directly addressed.

2.4.1. Overall Requirement

o Minimize, for web browser users and web site deployers, the risks that are derived from passive and active network attackers, web site development and deployment bugs, and insecure user actions.
2.4.1.1. Detailed Core Requirements
These core requirements are derived from the overall requirement and are addressed by this specification. 1. Web sites need to be able to declare to UAs that they should be accessed using a strict security policy. 2. Web sites need to be able to instruct UAs that contact them insecurely to do so securely. 3. UAs need to retain persistent data about web sites that signal strict security policy enablement, for time spans declared by the web sites. Additionally, UAs need to cache the "freshest" strict security policy information, in order to allow web sites to update the information. 4. UAs need to rewrite all insecure UA "http" URI loads to use the "https" secure scheme for those web sites for which secure policy is enabled. 5. Web site administrators need to be able to signal strict security policy application to subdomains of higher-level domains for which strict security policy is enabled, and UAs need to enforce such policy. For example, both example.com and foo.example.com could set policy for bar.foo.example.com.
Top   ToC   RFC6797 - Page 10
   6.  UAs need to disallow security policy application to peer domains,
       and/or higher-level domains, by domains for which strict security
       policy is enabled.

       For example, neither bar.foo.example.com nor foo.example.com can
       set policy for example.com, nor can bar.foo.example.com set
       policy for foo.example.com.  Also, foo.example.com cannot set
       policy for sibling.example.com.

   7.  UAs need to prevent users from "clicking through" security
       warnings.  Halting connection attempts in the face of secure
       transport exceptions is acceptable.  See also Section 12.1 ("No
       User Recourse").

   NOTE:  A means for uniformly securely meeting the first core
          requirement above is not specifically addressed by this
          specification (see Section 14.6 ("Bootstrap MITM
          Vulnerability")).  It may be addressed by a future revision of
          this specification or some other specification.  Note also
          that there are means by which UA implementations may more
          fully meet the first core requirement; see Section 12 ("User
          Agent Implementation Advice").

2.4.1.2. Detailed Ancillary Requirements
These ancillary requirements are also derived from the overall requirement. They are not normatively addressed in this specification but could be met by UA implementations at their implementor's discretion, although meeting these requirements may be complex. 1. Disallow "mixed security context" loads (see Section 2.3.1.3). 2. Facilitate user declaration of web sites for which strict security policy is enabled, regardless of whether the sites signal HSTS Policy.

3. Conformance Criteria

This specification is written for hosts and user agents. A conformant host is one that implements all the requirements listed in this specification that are applicable to hosts. A conformant user agent is one that implements all the requirements listed in this specification that are applicable to user agents.
Top   ToC   RFC6797 - Page 11
   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].

4. Terminology

Terminology is defined in this section. ASCII case-insensitive comparison: means comparing two strings exactly, codepoint for codepoint, except that the characters in the range U+0041 .. U+005A (i.e., LATIN CAPITAL LETTER A to LATIN CAPITAL LETTER Z) and the corresponding characters in the range U+0061 .. U+007A (i.e., LATIN SMALL LETTER A to LATIN SMALL LETTER Z) are considered to also match. See [Unicode] for details. codepoint: is a colloquial contraction of Code Point, which is any value in the Unicode codespace; that is, the range of integers from 0 to 10FFFF(hex) [Unicode]. domain name: is also referred to as "DNS name" and is defined in [RFC1035] to be represented outside of the DNS protocol itself (and implementations thereof) as a series of labels separated by dots, e.g., "example.com" or "yet.another.example.org". In the context of this specification, domain names appear in that portion of a URI satisfying the reg-name production in "Appendix A. Collected ABNF for URI" in [RFC3986], and the host component from the Host HTTP header field production in Section 14.23 of [RFC2616]. NOTE: The domain names appearing in actual URI instances and matching the aforementioned production components may or may not be a fully qualified domain name. domain name label: is that portion of a domain name appearing "between the dots", i.e., consider "foo.example.com": "foo", "example", and "com" are all domain name labels.
Top   ToC   RFC6797 - Page 12
   Effective Request URI:

      is a URI, identifying the target resource, that can be inferred by
      an HTTP host for any given HTTP request it receives.  Such
      inference is necessary because HTTP requests often do not contain
      a complete "absolute" URI identifying the target resource.  See
      Section 9 ("Constructing an Effective Request URI").

   HTTP Strict Transport Security:

      is the overall name for the combined UA- and server-side security
      policy defined by this specification.

   HTTP Strict Transport Security Host:

      is a conformant host implementing the HTTP server aspects of the
      HSTS Policy.  This means that an HSTS Host returns the
      "Strict-Transport-Security" HTTP response header field in its HTTP
      response messages sent over secure transport.

   HTTP Strict Transport Security Policy:

      is the name of the combined overall UA- and server-side facets of
      the behavior defined in this specification.

   HSTS:

      See HTTP Strict Transport Security.

   HSTS Host:

      See HTTP Strict Transport Security Host.

   HSTS Policy:

      See HTTP Strict Transport Security Policy.

   Known HSTS Host:

      is an HSTS Host for which the UA has an HSTS Policy in effect;
      i.e., the UA has noted this host as a Known HSTS Host.  See
      Section 8.1.1 ("Noting an HSTS Host - Storage Model") for
      particulars.

   Local policy:

      comprises policy rules that deployers specify and that are often
      manifested as configuration settings.
Top   ToC   RFC6797 - Page 13
   MITM:

      is an acronym for "man in the middle".  See "man-in-the-middle
      attack" in [RFC4949].

   Request URI:

      is the URI used to cause a UA to issue an HTTP request message.
      See also "Effective Request URI".

   UA:

      is an acronym for "user agent".  For the purposes of this
      specification, a UA is an HTTP client application typically
      actively manipulated by a user [RFC2616].

   unknown HSTS Host:

      is an HSTS Host that the user agent has not noted.

5. HSTS Mechanism Overview

This section provides an overview of the mechanism by which an HSTS Host conveys its HSTS Policy to UAs and how UAs process the HSTS Policies received from HSTS Hosts. The mechanism details are specified in Sections 6 through 15.

5.1. HSTS Host Declaration

An HTTP host declares itself an HSTS Host by issuing to UAs an HSTS Policy, which is represented by and conveyed via the Strict-Transport-Security HTTP response header field over secure transport (e.g., TLS). Upon error-free receipt and processing of this header by a conformant UA, the UA regards the host as a Known HSTS Host.

5.2. HSTS Policy

An HSTS Policy directs UAs to communicate with a Known HSTS Host only over secure transport and specifies policy retention time duration. HSTS Policy explicitly overrides the UA processing of URI references, user input (e.g., via the "location bar"), or other information that, in the absence of HSTS Policy, might otherwise cause UAs to communicate insecurely with the Known HSTS Host.
Top   ToC   RFC6797 - Page 14
   An HSTS Policy may contain an optional directive -- includeSubDomains
   -- specifying that this HSTS Policy also applies to any hosts whose
   domain names are subdomains of the Known HSTS Host's domain name.

5.3. HSTS Policy Storage and Maintenance by User Agents

UAs store and index HSTS Policies based strictly upon the domain names of the issuing HSTS Hosts. This means that UAs will maintain the HSTS Policy of any given HSTS Host separately from any HSTS Policies issued by any other HSTS Hosts whose domain names are superdomains or subdomains of the given HSTS Host's domain name. Only the given HSTS Host can update or can cause deletion of its issued HSTS Policy. It accomplishes this by sending Strict-Transport-Security HTTP response header fields to UAs with new values for policy time duration and subdomain applicability. Thus, UAs cache the "freshest" HSTS Policy information on behalf of an HSTS Host. Specifying a zero time duration signals the UA to delete the HSTS Policy (including any asserted includeSubDomains directive) for that HSTS Host. See Section 8.1 ("Strict-Transport-Security Response Header Field Processing") for details. Additionally, Section 6.2 presents examples of Strict-Transport-Security HTTP response header fields.

5.4. User Agent HSTS Policy Enforcement

When establishing an HTTP connection to a given host, however instigated, the UA examines its cache of Known HSTS Hosts to see if there are any with domain names that are superdomains of the given host's domain name. If any are found, and of those if any have the includeSubDomains directive asserted, then HSTS Policy applies to the given host. Otherwise, HSTS Policy applies to the given host only if the given host is itself known to the UA as an HSTS Host. See Section 8.3 ("URI Loading and Port Mapping") for details.


(page 14 continued on part 2)

Next Section