TOC 
Network Working GroupJ. Hodges
Internet-DraftPayPal
Intended status: Standards TrackC. Jackson
Expires: December 25, 2010Carnegie Mellon University
 A. Barth
 University of California
 Berkeley
 June 23, 2010


HTTP Strict Transport Security
draft-hodges-strict-transport-sec-01

Abstract

This specification defines a mechanism enabling Web sites to declare themselves accessible only via secure connections, and/or for users to be able to direct their user agent(s) to interact with given sites only over secure connections. This overall policy is referred to as Strict Transport Security (STS). The policy is declared by Web sites via the Strict-Transport-Security HTTP Response Header Field.

Status of this Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as “work in progress.”

This Internet-Draft will expire on December 25, 2010.

Copyright Notice

Copyright (c) 2010 IETF Trust and the persons identified as the document authors. All rights reserved.

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.



Table of Contents

1.  Introduction
2.  Overview
    2.1.  Use Cases
    2.2.  Strict Transport Security Policy Effects
    2.3.  Threat Model
        2.3.1.  Threats Addressed
            2.3.1.1.  Passive Network Attackers
            2.3.1.2.  Active Network Attackers
            2.3.1.3.  Web Site Development and Deployment Bugs
        2.3.2.  Threats Not Addressed
            2.3.2.1.  Phishing
            2.3.2.2.  Malware and Browser Vulnerabilities
    2.4.  Requirements
        2.4.1.  Overall Requirement
            2.4.1.1.  Detailed Core Requirements
            2.4.1.2.  Detailed Ancillary Requirements
3.  Conformance Criteria
    3.1.  Document Conventions
4.  Terminology
5.  Syntax
    5.1.  Strict-Transport-Security HTTP Response Header Field
6.  Server Processing Model
    6.1.  HTTP-over-Secure-Transport Request Type
    6.2.  HTTP Request Type
7.  User Agent Processing Model
    7.1.  Strict-Transport-Security Response Header Field Processing
        7.1.1.  Noting a STS Server
        7.1.2.  Known STS Server Domain Name Matching
    7.2.  URI Loading
    7.3.  Errors in Secure Transport Establishment
    7.4.  HTTP-Equiv <Meta> Element Attribute
8.  Domain Name ToASCII Conversion Operation
9.  Server Implementation Advice
10.  UA Implementation Advice
11.  Constructing an Effective Request URI
12.  Security Considerations
    12.1.  Denial of Service (DoS)
    12.2.  Bootstrap MITM Vulnerability
    12.3.  Network Time Attacks
    12.4.  Bogus Root CA Certificate Phish plus DNS Cache Poisoning Attack
13.  IANA Considerations
14.  Design Decision Notes
15.  References
    15.1.  Normative References
    15.2.  Informative References
Appendix A.  Acknowledgments
§  Authors' Addresses




 TOC 

1.  Introduction

[ Please disscuss this draft on the hasmat@ietf.org mailing list [HASMAT] (, “HASMAT -- HTTP Application Security Minus Authentication and Transport,” .). ]

The HTTP protocol [RFC2616] (Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., and T. Berners-Lee, “Hypertext Transfer Protocol -- HTTP/1.1,” June 1999.) may be used over various transports, typically the Transmission Control Protocol (TCP) [RFC0793] (Postel, J., “Transmission Control Protocol,” September 1981.). However, TCP does not provide channel integrity protection, confidentiality, nor secure server identification. Thus the Secure Sockets Layer (SSL) protocol [I‑D.ietf‑tls‑ssl‑version3] (Freier, A., Karlton, P., and P. Kocher, “The SSL Protocol Version 3.0,” November 1996.) and its successor Transport Layer Security (TLS) [RFC4346] (Dierks, T. and E. Rescorla, “The Transport Layer Security (TLS) Protocol Version 1.1,” April 2006.), were developed in order to provide channel-oriented security, and are typically layered between application protocols and TCP. [RFC2818] (Rescorla, E., “HTTP Over TLS,” May 2000.) specifies how HTTP is layered onto TLS, and defines the Universal Resource Identifier (URI) scheme of "https" (in practice however, HTTP user agents (UAs) typically offer their users choices among SSL2, SSL3, and TLS for secure transport). URIs themselves are specified in [RFC3986] (Berners-Lee, T., Fielding, R., and L. Masinter, “Uniform Resource Identifier (URI): Generic Syntax,” January 2005.).

UAs employ various local security policies with respect to the characteristics of their interactions with web resources depending on (in part) whether they are communicating with a given web resource using HTTP or HTTP-over-a-Secure-Transport. For example, cookies ([RFC2109] (Kristol, D. and L. Montulli, “HTTP State Management Mechanism,” February 1997.) and [RFC2965] (Kristol, D. and L. Montulli, “HTTP State Management Mechanism,” October 2000.)) may be flagged as Secure. UAs are to send such Secure cookies to their addressed server only over a secure transport. This is in contrast to non-Secure cookies, which are returned to the server regardless of transport (although modulo other rules).

UAs typically annunciate to their users any issues with secure connection establishment, such as being unable to validate a server certificate trust chain, or if a server certificate is expired, or if a server's domain name appears incorrectly in the server certificate (see section 3.1 of [RFC2818] (Rescorla, E., “HTTP Over TLS,” May 2000.)). Often, UAs provide for users to be able to elect to continue to interact with a web resource in the face of such issues. This behavior is sometimes referred to as "click(ing) through" security [GoodDhamijaEtAl05] (Good, N., Dhamija, R., Grossklags, J., Thaw, D., Aronowitz, S., Mulligan, D., and J. Konstan, “Stopping Spyware at the Gate: A User Study of Privacy, Notice and Spyware,” July 2005.) [SunshineEgelmanEtAl09] (Sunshine, J., Egelman, S., Almuhimedi, H., Atri, N., and L. Cranor, “Crying Wolf: An Empirical Study of SSL Warning Effectiveness,” Augus 2009.), and thus can be described as "click-through insecurity" .

Jackson and Barth proposed an approach, in [ForceHTTPS] (Jackson, C. and A. Barth, “ForceHTTPS: Protecting High-Security Web Sites from Network Attacks,” 2008.), to enable web sites and/or users to be able to declare that such issues are to be treated as fatal and without direct user recourse. The aim is to prevent users from unintentionally downgrading their security.

This specification embodies and refines the approach proposed in [ForceHTTPS] (Jackson, C. and A. Barth, “ForceHTTPS: Protecting High-Security Web Sites from Network Attacks,” 2008.), e.g. a HTTP response header field is used to convey site policy to the UA rather than a cookie.



 TOC 

2.  Overview

This section discusses the use cases, summarizes the Strict Transport Security (STS) policy, and continues with a discussion of the threat model, non-addressed threats, and derived requirements.



 TOC 

2.1.  Use Cases

The overall applicable use case here is a combination of these two use cases:



 TOC 

2.2.  Strict Transport Security Policy Effects

The characteristics of the Strict Transport Security policy, as applied by a UA in its interactions with a web site wielding STS Policy, known as a STS Server, is summarized as follows:

  1. Insecure ("http") connections to a STS Server are redirected by the STS Server to be secure connections ("https").
  2. The UA terminates, without user recourse, any secure transport connection attempts upon any and all secure transport errors or warnings, including those caused by a site wielding self-signed certificates.
  3. UAs transform insecure URI references to a STS Server into secure URI references before dereferencing them.



 TOC 

2.3.  Threat Model

STS is concerned with three threat classes: passive network attackers, active network attackers, and imperfect web developers. However, it is explicitly not a remedy for two other classes of threats: phishing and malware. Addressed and not addressed threats are briefly discussed below. Readers may wish refer to [ForceHTTPS] (Jackson, C. and A. Barth, “ForceHTTPS: Protecting High-Security Web Sites from Network Attacks,” 2008.) for details as well as relevant citations.



 TOC 

2.3.1.  Threats Addressed



 TOC 

2.3.1.1.  Passive Network Attackers

When a user browses the web on a wireless network, a nearby attacker can eavesdrop on unencrypted connections, such as HTTP requests. Such a passive network attacker can steal session identifiers and hijack the user's session, by obtaining cookies containing authentication credentials for example. Such passive eavesdropping attacks are easily performed using wireless sniffing toolkits.

To mitigate this threat, some sites permit, but usually do not force, access using secure transport -- e.g. by employing "https" URIs. This can lead users to believe that accessing such services using secure transport protects them from passive network attackers. Unfortunately, this is often not the case in real-world deployments as session identifiers are often stored in non-Secure cookies to permit interoperability with versions of the service offered over insecure transport. For example, if the session identifier for a web site (an email service, say) is stored in a non-Secure cookie, it permits an attacker to hijack the user's session if the user makes a single insecure HTTP request to the site.



 TOC 

2.3.1.2.  Active Network Attackers

A determined attacker can mount an active attack, either by impersonating a user's DNS server or, in a wireless network, by spoofing network frames or offering a similarly-named evil twin access point. If the user is behind a wireless home router, an attacker can attempt to reconfigure the router using default passwords and other vulnerabilities. Some sites, such as banks, rely on secure transport to protect themselves and their users from such active attackers. Unfortunately, browsers allow their users to easily opt-out of these protections in order to be usable for sites that incorrectly deploy secure transport, for example by generating and self-signing their own certificates (without also distributing their CA certificate to their users' browsers).



 TOC 

2.3.1.3.  Web Site Development and Deployment Bugs

The security of an otherwise uniformly secure site (i.e. all of its content is materialized via "https" URIs), can be compromised completely by an active attacker exploiting a simple mistake, such as the loading of a cascading style sheet or a SWF movie over an insecure connection (both cascading style sheets and SWF movies can script the embedding page, to the surprise of many web developers -- most browsers do not issue mixed content warnings when insecure SWF files are embedded). Even if the site's developers carefully scrutinize their login page for mixed content, a single insecure embedding anywhere on the site compromises the security of their login page because an attacker can script (control) the login page by injecting script into the page with mixed content.

Note:
"Mixed content" here refers to the same notion referred to as "mixed security context" later elsewhere in this specification.



 TOC 

2.3.2.  Threats Not Addressed



 TOC 

2.3.2.1.  Phishing

Phishing attacks occur when an attacker solicits authentication credentials from the user by hosting a fake site located on a different domain than the real site, perhaps driving traffic to the fake site by sending a link in an email message. Phishing attacks can be very effective because users find it difficult to distinguish the real site from a fake site. STS is not a defense against phishing per se; rather, it complements many existing phishing defenses by instructing the browser to protect session integrity and long-lived authentication tokens [ForceHTTPS] (Jackson, C. and A. Barth, “ForceHTTPS: Protecting High-Security Web Sites from Network Attacks,” 2008.).



 TOC 

2.3.2.2.  Malware and Browser Vulnerabilities

Because STS is implemented as a browser security mechanism, it relies on the trustworthiness of the user's system to protect the session. Malicious code executing on the user's system can compromise a browser session, regardless of whether STS is used.



 TOC 

2.4.  Requirements

This section identifies and enumerates various requirements derived from the use cases and the threats discussed above, and lists the detailed core requirements Strict Transport Security addresses, as well as ancillary requirements that are not directly addressed.



 TOC 

2.4.1.  Overall Requirement



 TOC 

2.4.1.1.  Detailed Core Requirements

These core requirements are derived from the overall requirement, and are addressed by this specification.

  1. Web sites need to be able to declare to UAs that they should be interacted with using a strict security policy.
  2. Web sites need to be able to instruct UAs that contact them insecurely to do so securely.
  3. UAs need to note web sites that signal strict security policy enablement, for a web site declared time span.
  4. UAs need to re-write all insecure UA "http" URI loads to use the "https" secure scheme for those web sites for which secure policy is enabled.
  5. Web site administrators need to be able to signal strict security policy application to subdomains of higher-level domains for which strict security policy is enabled, and UAs need to enforce such policy.
  6. For example, both example.com and foo.example.com could set policy for bar.foo.example.com.
  7. UAs need to disallow security policy application to peer domains, and/or higher-level domains, by domains for which strict security policy is enabled.
  8. For example, neither bar.foo.example.com nor foo.example.com can set policy for example.com, nor can bar.foo.example.com set policy for foo.example.com. Also, foo.example.com cannot set policy for sibling.example.com.
  9. UAs need to prevent users from clicking-through security warnings. Halting connection attempts in the face of secure transport exceptions is acceptable.

Note:
A means for uniformly securely meeting the first core requirement above is not specifically addressed by this specification (see Section 12.2 (Bootstrap MITM Vulnerability) "Bootstrap MITM Vulnerability (Bootstrap MITM Vulnerability)"). It may be addressed by a future revision of this specification or some other specification. Note also that there are means by which UA implementations may more fully meet the first core requirement, see Section 10 (UA Implementation Advice) "UA Implementation Advice (UA Implementation Advice)".



 TOC 

2.4.1.2.  Detailed Ancillary Requirements

These ancillary requirements are also derived from the overall requirement. They are not normatively addressed in this specification, but could be met by UA implementations at their implementor's discretion, although meeting these requirements may be complex.

  1. Disallow "mixed security context" (also known as "mixed-content") loads (see section 5.3 "Mixed Content" in [W3C.WD‑wsc‑ui‑20100309] (Saldhana, A. and T. Roessler, “Web Security Context: User Interface Guidelines,” March 2010.)).
  2. Facilitate user declaration of web sites for which strict security policy is enabled, regardless of whether the sites signal STS Policy.



 TOC 

3.  Conformance Criteria

This specification is written for servers and user agents (UAs).

As well as sections and appendices marked as non-normative, all diagrams, examples, and notes in this specification are non-normative. Everything else in this specification is normative.

In this specification, the words MUST, MUST NOT, MAY, and SHOULD are to be interpreted as described in [RFC2119] (Bradner, S., “Key words for use in RFCs to Indicate Requirement Levels,” March 1997.).

A conformant server is one that implements all the requirements listed in this specification that are applicable to servers.

A conformant user agent is one that implements all the requirements listed in this specification that are applicable to user agents.



 TOC 

3.1.  Document Conventions

Note:
..is a note to the reader. These are points that should be expressly kept in mind and/or considered.

Warning:
This is how a warning is shown. These are things that can have suboptimal downside risks if not heeded.

[XXXn] (JeffH: Some of the more major known issues are marked like this (where "n" in "XXXn" is a number).)

[TODOn] (JeffH: Things to fix (where "n" in "TODOn" is a number).)



 TOC 

4.  Terminology

Terminology is defined in this section.

ASCII case-insensitive comparison
means comparing two strings exactly, codepoint for codepoint, except that the characters in the range U+0041 .. U+005A (i.e. LATIN CAPITAL LETTER A to LATIN CAPITAL LETTER Z) and the corresponding characters in the range U+0061 .. U+007A (i.e. LATIN SMALL LETTER A to LATIN SMALL LETTER Z) are considered to also match. See [Unicode5] (The Unicode Consortium, “The Unicode Standard, Version 5.0,” 2007.) for details.

codepoint
is a colloquial contraction of Code Point, which is any value in the Unicode codespace; that is, the range of integers from 0 to 10FFFF(hex) [Unicode5] (The Unicode Consortium, “The Unicode Standard, Version 5.0,” 2007.).

Domain Name
Domain Names, also referred to as DNS Names, are defined in [RFC1035] (Mockapetris, P., “Domain names - implementation and specification,” November 1987.) to be represented outside of the DNS protocol itself (and implementations thereof) as a series of labels separated by dots, e.g. "example.com" or "yet.another.example.org". In the context of this specification, Domain Names appear in that portion of a URI satisfying the reg-name production in "Appendix A. Collected ABNF for URI" in [RFC3986] (Berners-Lee, T., Fielding, R., and L. Masinter, “Uniform Resource Identifier (URI): Generic Syntax,” January 2005.), and the host component from the Host HTTP header field production in section 14.23 of [RFC2616] (Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., and T. Berners-Lee, “Hypertext Transfer Protocol -- HTTP/1.1,” June 1999.).
Note:
The Domain Names appearing in actual URI instances and matching the aforementioned production components may or may not be FQDNs.

Domain Name Label
is that portion of a Domain Name appearing "between the dots", i.e. consider "foo.example.com": "foo", "example", and "com" are all domain name labels.

Effective Request URI
is a URI that can be constructed by an HTTP server for any given HTTP request sent to it. Some HTTP requests do not contain a contiguous representation of the URI identifying the resource being addressed by the HTTP request. Rather, different portions of a resource's URI may be mapped to both the Request-Line header field and the Host header field in an HTTP request message [I‑D.ietf‑httpbis‑p1‑messaging] (Fielding, R., Gettys, J., Mogul, J., Nielsen, H., Masinter, L., Leach, P., Berners-Lee, T., and J. Reschke, “HTTP/1.1, part 1: URIs, Connections, and Message Parsing,” March 2010.). The HTTP server coalesces these URI fragments and constructs an equivalent of the Request-URI that was used by the UA to generate the received HTTP request message. See Section 11 (Constructing an Effective Request URI) "Constructing an Effective Request URI (Constructing an Effective Request URI)", below.

FQDN
is an acronym for Fully-qualified Domain Name. A FQDN is a Domain Name that includes all higher level domains relevant to the named entity (typically a STS Server in the context of this specification). If one thinks of the DNS as a tree-structure with each node having its own Domain Name Label, a FQDN for a specific node would be its label followed by the labels of all the other nodes between it and the root of the tree. For example, for a host, a FQDN would include the label that identifies the particular host, plus all domains of which the host is a part, up to and including the top-level domain (the root domain is always null) [RFC1594] (Marine, A., Reynolds, J., and G. Malkin, “FYI on Questions and Answers - Answers to Commonly asked "New Internet User" Questions,” March 1994.).

Known STS Server
is a STS Server for which the UA has an STS Policy in effect.

Local policy
is comprised of policy rules deployers specify and which are often manifested as "configuration settings".

MITM
is an acronym for man-in-the-middle. See "man-in-the-middle attack" in [RFC4949] (Shirey, R., “Internet Security Glossary, Version 2,” August 2007.).

Request URI
is the URI used to cause a UA to issue an HTTP request message.

Strict Transport Security
is the overall name for the combined UA- and server-side security policy defined by this specification.

Strict Transport Security Server
is a HTTP server implementing the server aspects of the STS policy.

Strict Transport Security Policy
is the name of the combined overall UA- and server-side facets of the behavior specified by this specification.

STS
See Strict Transport Security.

STS Policy
See Strict Transport Security Policy.

STS Server
See Strict Transport Security Server.

UA
is a an acronym for user agent. For the purposes of this specification, a UA is an HTTP client application typically actively manipulated by a user [RFC2616] (Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., and T. Berners-Lee, “Hypertext Transfer Protocol -- HTTP/1.1,” June 1999.) .


 TOC 

5.  Syntax

This section defines the syntax of the new header this specification introduces. It also provides a short description of the function the header.

The Section 6 (Server Processing Model) "Server Processing Model (Server Processing Model)" section details how servers are to use this header. Likewise, the Section 7 (User Agent Processing Model) "User Agent Processing Model (User Agent Processing Model)" section details how user agents are to use this header.



 TOC 

5.1.  Strict-Transport-Security HTTP Response Header Field

The Strict-Transport-Security HTTP response header field indicates to a UA that it MUST enforce the STS Policy in regards to the server emitting the response message containing this header field.

The ABNF syntax for the Strict-Transport-Security HTTP Response Header field is:

Strict-Transport-Security =

           "Strict-Transport-Security" ":"  OWS  STS-v  OWS

; STS value
STS-v      = STS-d
           / STS-d  *( OWS ";" OWS STS-d  OWS)

; STS directive
STS-d      = STS-d-cur / STS-d-ext

; defined STS directives
STS-d-cur  = maxAge / includeSubDomains

maxAge     = "max-age" "=" delta-seconds v-ext

includeSubDomains = [ "includeSubDomains" ] v-ext


; extension points
STS-d-ext  = name      ; STS extension directive

v-ext      = value     ; STS extension value

name       = token

value      = OWS / %x21-3A  /  %x3C-7E   ; i.e. optional white space, or
           ;     [ ! .. : ]  [ < .. ~ ] any visible chars other than ";"

;  productions imported from [ID.ietf-httpbis-p1-messaging]:

token

OWS        ; Optional White Space

Note:
[I‑D.ietf‑httpbis‑p1‑messaging] (Fielding, R., Gettys, J., Mogul, J., Nielsen, H., Masinter, L., Leach, P., Berners-Lee, T., and J. Reschke, “HTTP/1.1, part 1: URIs, Connections, and Message Parsing,” March 2010.) is used as the ABNF basis in order to ensure that the new header has equivalent parsing rules to the header fields defined in that same specification. Also:
  1. Quoted-string literals in the above ABNF stanza are case-insensitive.
  2. In order to correctly match the grammar above, the Strict-Transport-Security HTTP Response Header MUST include at least a max-age directive with at least a single-digit value for delta-seconds.

max-age
specifies the number of seconds, after the recption of the Strict-Transport-Security HTTP Response Header, during which the UA regards the host the message was received from as a Known STS Server (see also Section 7.1.1 (Noting a STS Server) "Noting a STS Server (Noting a STS Server)", below). The delta-seconds production is specified in [RFC2616] (Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., and T. Berners-Lee, “Hypertext Transfer Protocol -- HTTP/1.1,” June 1999.).

[TODO1] (JeffH: The above para wrt max-age may need further refinement.)

includeSubDomains
is a flag which, if present, signals to the UA that the STS Policy applies to this STS Server as well as any subdomains of the server's FQDN.



 TOC 

6.  Server Processing Model

This section describes the processing model that STS Servers implement. The model is comprised of two facets: the first being the processing rules for HTTP request messages received over a secure transport (e.g. TLS [RFC4346] (Dierks, T. and E. Rescorla, “The Transport Layer Security (TLS) Protocol Version 1.1,” April 2006.), SSL [I‑D.ietf‑tls‑ssl‑version3] (Freier, A., Karlton, P., and P. Kocher, “The SSL Protocol Version 3.0,” November 1996.), or perhaps others, the second being the processing rules for HTTP request messages received over non-secure transports, i.e. over TCP/IP [RFC0793] (Postel, J., “Transmission Control Protocol,” September 1981.).



 TOC 

6.1.  HTTP-over-Secure-Transport Request Type

When replying to an HTTP request that was conveyed over a secure transport, a STS Server SHOULD include in its response message a Strict-Transport-Security HTTP Response Header that MUST satisfy the grammar specified above in Section 5.1 (Strict-Transport-Security HTTP Response Header Field) "Strict-Transport-Security HTTP Response Header Field (Strict-Transport-Security HTTP Response Header Field)". If a Strict-Transport-Sec HTTP Response Header is included, the STS Server MUST include only one such header.

Note:
Including the Strict-Transport-Sec HTTP Response Header is stipulated as a "SHOULD" in order to accomodate various server- and network-side caches and load-balancing configurations where it may be difficult to uniformly emit Strict-Transport-Security HTTP Response Headers on behalf of a given STS Server.

In order to establish a given host as a Known STS Server in the context of a given UA, the host must correctly return, per this specification, at least one valid Strict-Transport-Security HTTP Response Header to the UA.



 TOC 

6.2.  HTTP Request Type

If a STS Server receives a HTTP request message over a non-secure transport, it SHOULD send a HTTP response message containing a Status-Code of 301 and a Location header field value containing either the HTTP request's original Effective Request URI (see Section 11 (Constructing an Effective Request URI) Constructing an Effective Request URI (Constructing an Effective Request URI), below) altered as necessary to have a URI scheme of "https", or a URI generated according to local policy (which SHOULD employ a URI scheme of "https").

A STS Server MUST NOT include the Strict-Transport-Security HTTP Response Header in HTTP responses conveyed over a non-secure transport.



 TOC 

7.  User Agent Processing Model

This section describes the Strict Transport Security processing model for UAs. There are several facets to the model, enumerated by the following subsections.

Also, this processing model assumes that all Domain Names manipulated in this specification's context are already in ASCII Compatible Encoding (ACE) format as specified in [RFC3490] (Faltstrom, P., Hoffman, P., and A. Costello, “Internationalizing Domain Names in Applications (IDNA),” March 2003.). If this is not the case in some situation, use the operation given in Section 8 (Domain Name ToASCII Conversion Operation) "Domain Name ToASCII Conversion Operation (Domain Name ToASCII Conversion Operation)" to convert any encountered internationalized Domain Names to ACE format before processing them.



 TOC 

7.1.  Strict-Transport-Security Response Header Field Processing

If an HTTP response, received over a secure transport, includes a Strict-Transport-Security HTTP Response Header field, conforming to the grammar specified in Section 5.1 (Strict-Transport-Security HTTP Response Header Field) "Strict-Transport-Security HTTP Response Header Field (Strict-Transport-Security HTTP Response Header Field)" (above), and there are no underlying secure transport errors or warnings, the UA MUST either:

or,

Note:
The max-age value is essentially a "time to live" value relative to the reception time of the Strict-Transport-Security HTTP Response Header.

[TODO2] (=JeffH: Decide UA behavior in face of encountering multiple STS headers in a message. Use first header? Last?)

Otherwise:



 TOC 

7.1.1.  Noting a STS Server

If the substring matching the host production from the Request-URI, that the server responded to, syntactically matches the IP-literal or IPv4address productions from section 3.2.2 of [RFC3986] (Berners-Lee, T., Fielding, R., and L. Masinter, “Uniform Resource Identifier (URI): Generic Syntax,” January 2005.), then the UA MUST NOT note this server as a Known STS Server.

Otherwise, if the substring does not congruently match a presently known STS Server, per the matching procedure specified in Section 7.1.2 (Known STS Server Domain Name Matching) "Known STS Server Domain Name Matching (Known STS Server Domain Name Matching)" below, then the UA MUST note this server as a Known STS Server, caching the STS Server's Domain Name and noting along with it the expiry time of this information, as effectively stipulated per the given max-age value, as well as whether the includeSubDomains flag is asserted or not.



 TOC 

7.1.2.  Known STS Server Domain Name Matching

A UA determines whether a Domain Name represents a Known STS Server by looking for a match between the query Domain Name and the UA's set of Known STS Servers.

  1. Compare the query Domain Name string with the Domain Names of the UA's set of Known STS Servers. For each Known STS Server's Domain Name, the comparison is done with the query Domain Name label-by-label using an ASCII case-insensitive comparison beginning with the rightmost label, and continuing right-to-left, and ignoring separator characters (see clause 3.1(4) of [RFC3986] (Berners-Lee, T., Fielding, R., and L. Masinter, “Uniform Resource Identifier (URI): Generic Syntax,” January 2005.).



 TOC 

7.2.  URI Loading

Whenever the UA prepares to "load", also known as "dereference", any URI where the host production of the URI [RFC3986] (Berners-Lee, T., Fielding, R., and L. Masinter, “Uniform Resource Identifier (URI): Generic Syntax,” January 2005.) matches that of a Known STS Server -- either as a congruent match or as a superdomain match where the superdomain Known STS Server has includeSubDomains asserted -- and the URI's scheme is "http", then replace the URI scheme with "https" before proceeding with the load.



 TOC 

7.3.  Errors in Secure Transport Establishment

When connecting to a Known STS Server, the UA MUST terminate the connection with no user recourse if there are any errors (e.g. certificate errors), whether "warning" or "fatal" or any other error level, with the underlying secure transport.



 TOC 

7.4.  HTTP-Equiv <Meta> Element Attribute

UAs MUST NOT heed http-equiv="Strict-Transport-Security" attribute settings on <meta> elements in received content.



 TOC 

8.  Domain Name ToASCII Conversion Operation

This operation converts a string-serialized Domain Name possibly containing arbitrary Unicode characters [Unicode5] (The Unicode Consortium, “The Unicode Standard, Version 5.0,” 2007.) into a string-serialized Domain Name in ASCII Compatible Encoding (ACE) format as specified in [RFC3490] (Faltstrom, P., Hoffman, P., and A. Costello, “Internationalizing Domain Names in Applications (IDNA),” March 2003.).

The operation is:



 TOC 

9.  Server Implementation Advice

STS Policy expiration time considerations:

Considerations for using Strict Transport Security in conjunction with self-signed public-key certificates:



 TOC 

10.  UA Implementation Advice

Notes for STS Server implementors:

In order to provide users and web sites more effective protection, UA implementors should consider including features such as:

In order to provide users effective controls for managing their UA's caching of STS Policy, UA implementors should consider including features such as:

In order to provide users and web sites more complete protection, UAs could offer advanced features such as these:

[XXX2] (JeffH: These latter items beg the question of having some means of secure web site metadata and policy discovery and acquisition. There is extant work that may be of interest, e.g. the W3C POWDER work, OASIS XRI/XRD work (as well as XRDS-Simple), and "Link-based Resource Descriptor Discovery" (draft-hammer-discovery).)



 TOC 

11.  Constructing an Effective Request URI

This section specifies how an STS Server must construct the Effective Request URI for a received HTTP request.

The first line of an HTTP request message is specified by the following ABNF ([I‑D.ietf‑httpbis‑p1‑messaging] (Fielding, R., Gettys, J., Mogul, J., Nielsen, H., Masinter, L., Leach, P., Berners-Lee, T., and J. Reschke, “HTTP/1.1, part 1: URIs, Connections, and Message Parsing,” March 2010.) section 4.1):

  Request-Line   = Method SP request-target SP HTTP-Version CRLF

The request-target is following ABNF ([I‑D.ietf‑httpbis‑p1‑messaging] (Fielding, R., Gettys, J., Mogul, J., Nielsen, H., Masinter, L., Leach, P., Berners-Lee, T., and J. Reschke, “HTTP/1.1, part 1: URIs, Connections, and Message Parsing,” March 2010.) section 4.1.2):

  request-target = "*"
                 / absolute-URI
                 / ( path-absolute [ "?" query ] )
                 / authority

Additionally, many HTTP requests contain an additional Host request header field. It is specified by the following ABNF ([I‑D.ietf‑httpbis‑p1‑messaging] (Fielding, R., Gettys, J., Mogul, J., Nielsen, H., Masinter, L., Leach, P., Berners-Lee, T., and J. Reschke, “HTTP/1.1, part 1: URIs, Connections, and Message Parsing,” March 2010.) section 4.1.2):

  Host = "Host:" OWS Host-v
  Host-v = uri-host [ ":" port ]

Thus an example HTTP message containing the above header fields is:

  GET /hello.txt HTTP/1.1
  Host: www.example.com

Another example is:

  GET HTTP://www.example.com/hello.txt  HTTP/1.1

An STS Server constructs the Effective Request URI using the following ABNF grammar (which imports some productions from the above ABNF for Request-Line, request-target, and Host:


   Effective-Request-URI = absolute-URI-present / path-absolute-form

   absolute-URI-present  = absolute-URI

   path-absolute-form  = scheme "://" Host-v path-absolute [ "?" query ]

   where:

     scheme is &quot;http&quot; if the request was received over
     insecure transport, or scheme is &quot;https&quot; if the
     request was received over secure transport.

For example, if the request message contains a request-target component that matches the grammar of absolute-URI, then the Effective-Request-URI is simply the value of the absolute-URI component. Otherwise, the Effective-Request-URI is a combination, per the path-absolute-form production, of the Host-v, path-absolute, and query components from the request-target and Host components of the request message.

[TODO3] (JeffH: This is a first SWAG at this section. Fix/add prose as appropriate, fix ABNF as needed per review.)



 TOC 

12.  Security Considerations



 TOC 

12.1.  Denial of Service (DoS)

STS could be used to mount certain forms of DoS attacks, where attackers set fake STS headers on legitimate sites available only insecurely (e.g. social network service sites, wikis, etc.).



 TOC 

12.2.  Bootstrap MITM Vulnerability

The bootstrap MITM (Man-In-The-Middle) vulnerability is a vulnerability users and STS Servers encounter in the situation where the user manually enters, or follows a link, to a STS Server using a "http" URI rather than a "https" URI. Because the UA uses an insecure channel in the initial attempt to interact with the specified serve, such an initial interaction is vulnerable to various attacks [ForceHTTPS] (Jackson, C. and A. Barth, “ForceHTTPS: Protecting High-Security Web Sites from Network Attacks,” 2008.) .

Note:
There are various features/facilities that UA implementations may employ in order to mitigate this vulnerability. Please see Section 10 (UA Implementation Advice) UA Implementation Advice (UA Implementation Advice).



 TOC 

12.3.  Network Time Attacks

Active network attacks can subvert network time protocols (like NTP) - making this header less effective against clients that trust NTP and/or lack a real time clock. Network time attacks are therefore beyond the scope of the defense. Note that modern operating systems use NTP by default.



 TOC 

12.4.  Bogus Root CA Certificate Phish plus DNS Cache Poisoning Attack

If an attacker can convince users of, say, https://bank.example.com (which is protected by STS Policy), to install their own version of a root CA certificate purporting to be bank.example.com's CA, e.g. via a phishing email message with a link to such a certificate -- then, if they can perform an attack on the users' DNS, e.g. via cache poisoning, and turn on STS Policy for their fake bank.example.com site, then they have themselves some new users.



 TOC 

13.  IANA Considerations

Below is the Internet Assigned Numbers Authority (IANA) Provisional Message Header Field registration information per [RFC3864] (Klyne, G., Nottingham, M., and J. Mogul, “Registration Procedures for Message Header Fields,” September 2004.).

Header field name:           Strict-Transport-Security
Applicable protocol:         HTTP
Status:                      provisional
Author/Change controller:    TBD
Specification document(s):   this one


 TOC 

14.  Design Decision Notes

This appendix documents various design decisions.

  1. Cookies aren't appropriate for STS Policy expression as they are potentially mutable (while stored in the UA), therefore an HTTP header field is employed.
  2. We chose to not attempt to specify how "mixed security context loads" (aka "mixed-content loads") are handled due to UA implementation considerations as well as classification difficulties.
  3. A STS Server may update UA notions of STS Policy via new STS header field values. We chose to have UAs honor the "freshest" information received from a server because there is the chance of a web site sending out an errornous STS Policy, such as a multi-year max-age value, and/or an incorrect includeSubDomains flag. If the STS Server couldn't correct such errors over protocol, it would require some form of annunciation to users and manual intervention on their part, which could be a non-trivial problem.
  4. STS Servers are identified only via Domain Names -- explicit IP address identification of all forms is excluded. This is for simplification and also is in recognition of various issues with using direct IP address identification in concert with PKI-based security.



 TOC 

15.  References



 TOC 

15.1. Normative References

[I-D.ietf-httpbis-p1-messaging] Fielding, R., Gettys, J., Mogul, J., Nielsen, H., Masinter, L., Leach, P., Berners-Lee, T., and J. Reschke, “HTTP/1.1, part 1: URIs, Connections, and Message Parsing,” draft-ietf-httpbis-p1-messaging-09 (work in progress), March 2010 (TXT).
[RFC1035] Mockapetris, P., “Domain names - implementation and specification,” STD 13, RFC 1035, November 1987 (TXT).
[RFC1594] Marine, A., Reynolds, J., and G. Malkin, “FYI on Questions and Answers - Answers to Commonly asked "New Internet User" Questions,” RFC 1594, March 1994 (TXT).
[RFC1983] Malkin, G., “Internet Users' Glossary,” RFC 1983, August 1996 (TXT).
[RFC2109] Kristol, D. and L. Montulli, “HTTP State Management Mechanism,” RFC 2109, February 1997 (TXT, HTML, XML).
[RFC2119] Bradner, S., “Key words for use in RFCs to Indicate Requirement Levels,” BCP 14, RFC 2119, March 1997 (TXT, HTML, XML).
[RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., and T. Berners-Lee, “Hypertext Transfer Protocol -- HTTP/1.1,” RFC 2616, June 1999 (TXT, PS, PDF, HTML, XML).
[RFC2818] Rescorla, E., “HTTP Over TLS,” RFC 2818, May 2000 (TXT).
[RFC2965] Kristol, D. and L. Montulli, “HTTP State Management Mechanism,” RFC 2965, October 2000 (TXT, HTML, XML).
[RFC3454] Hoffman, P. and M. Blanchet, “Preparation of Internationalized Strings ("stringprep"),” RFC 3454, December 2002 (TXT).
[RFC3490] Faltstrom, P., Hoffman, P., and A. Costello, “Internationalizing Domain Names in Applications (IDNA),” RFC 3490, March 2003 (TXT).
[RFC3492] Costello, A., “Punycode: A Bootstring encoding of Unicode for Internationalized Domain Names in Applications (IDNA),” RFC 3492, March 2003 (TXT).
[RFC3864] Klyne, G., Nottingham, M., and J. Mogul, “Registration Procedures for Message Header Fields,” BCP 90, RFC 3864, September 2004 (TXT).
[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, “Uniform Resource Identifier (URI): Generic Syntax,” STD 66, RFC 3986, January 2005 (TXT, HTML, XML).
[RFC4346] Dierks, T. and E. Rescorla, “The Transport Layer Security (TLS) Protocol Version 1.1,” RFC 4346, April 2006 (TXT).
[RFC4949] Shirey, R., “Internet Security Glossary, Version 2,” RFC 4949, August 2007 (TXT).
[Unicode5] The Unicode Consortium, “The Unicode Standard, Version 5.0,” Boston, MA, Addison-Wesley ISBN 0-321-48091-0, 2007.
[W3C.WD-html5-20100304] Hyatt, D. and I. Hickson, “HTML5,” World Wide Web Consortium WD WD-html5-20100304, March 2010 (HTML).


 TOC 

15.2. Informative References

[ForceHTTPS] Jackson, C. and A. Barth, “ForceHTTPS: Protecting High-Security Web Sites from Network Attacks,” In Proceedings of the 17th International World Wide Web Conference (WWW2008) , 2008.
[GoodDhamijaEtAl05] Good, N., Dhamija, R., Grossklags, J., Thaw, D., Aronowitz, S., Mulligan, D., and J. Konstan, “Stopping Spyware at the Gate: A User Study of Privacy, Notice and Spyware,” In Proceedings of Symposium On Usable Privacy and Security (SOUPS) Pittsburgh, PA, USA, July 2005.
[HASMAT] HASMAT -- HTTP Application Security Minus Authentication and Transport.”
[I-D.ietf-tls-ssl-version3] Freier, A., Karlton, P., and P. Kocher, “The SSL Protocol Version 3.0,” draft-ietf-tls-ssl-version3 (work in progress), November 1996.
[RFC0793] Postel, J., “Transmission Control Protocol,” STD 7, RFC 793, September 1981 (TXT).
[RFC2396] Berners-Lee, T., Fielding, R., and L. Masinter, “Uniform Resource Identifiers (URI): Generic Syntax,” RFC 2396, August 1998 (TXT, HTML, XML).
[SunshineEgelmanEtAl09] Sunshine, J., Egelman, S., Almuhimedi, H., Atri, N., and L. Cranor, “Crying Wolf: An Empirical Study of SSL Warning Effectiveness,” In Proceedings of 18th USENIX Security Symposium Montreal, Canada, Augus 2009.
[W3C.WD-wsc-ui-20100309] Saldhana, A. and T. Roessler, “Web Security Context: User Interface Guidelines,” World Wide Web Consortium LastCall WD-wsc-ui-20100309, March 2010 (HTML).


 TOC 

Appendix A.  Acknowledgments

This appendix is non-normative.

The authors thank Michael Barrett, Sid Stamm, Maciej Stachowiak, Andy Steingrubl, Brandon Sterne, Daniel Veditz for their review and contributions.



 TOC 

Authors' Addresses

  Jeff Hodges
  PayPal
Email:  Jeff.Hodges@PayPal.com
  
  Collin Jackson
  Carnegie Mellon University
Email:  collin.jackson@sv.cmu.edu
  
  Adam Barth
  University of California Berkeley
Email:  abarth@eecs.berkeley.edu