idnits 2.17.1
draft-hodges-strict-transport-sec-00.txt:
Checking boilerplate required by RFC 5378 and the IETF Trust (see
https://trustee.ietf.org/license-info):
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/checklist :
----------------------------------------------------------------------------
No issues found here.
Miscellaneous warnings:
----------------------------------------------------------------------------
== The copyright year in the IETF Trust and authors Copyright Line does not
match the current year
== Line 454 has weird spacing: '... Server is a ...'
== Line 559 has weird spacing: '...max-age speci...'
== The document seems to lack the recommended RFC 2119 boilerplate, even if
it appears to use RFC 2119 keywords.
(The document does seem to have the reference to RFC 2119 which the
ID-Checklist requires).
-- The document date (June 17, 2010) is 5062 days in the past. Is this
intentional?
Checking references for intended status: Proposed Standard
----------------------------------------------------------------------------
(See RFCs 3967 and 4897 for information about using normative references
to lower-maturity documents in RFCs)
== Missing Reference: 'ID.ietf-httpbis-p1-messaging' is mentioned on line
540, but not defined
== Unused Reference: 'RFC1983' is defined on line 1035, but no explicit
reference was found in the text
== Unused Reference: 'RFC3454' is defined on line 1053, but no explicit
reference was found in the text
== Unused Reference: 'RFC3492' is defined on line 1061, but no explicit
reference was found in the text
== Unused Reference: 'RFC2396' is defined on line 1115, but no explicit
reference was found in the text
== Outdated reference: A later version (-26) exists of
draft-ietf-httpbis-p1-messaging-09
** Obsolete normative reference: RFC 1594 (Obsoleted by RFC 2664)
** Downref: Normative reference to an Informational RFC: RFC 1983
** Obsolete normative reference: RFC 2109 (Obsoleted by RFC 2965)
** Obsolete normative reference: RFC 2616 (Obsoleted by RFC 7230, RFC 7231,
RFC 7232, RFC 7233, RFC 7234, RFC 7235)
** Obsolete normative reference: RFC 2818 (Obsoleted by RFC 9110)
** Obsolete normative reference: RFC 2965 (Obsoleted by RFC 6265)
** Obsolete normative reference: RFC 3454 (Obsoleted by RFC 7564)
** Obsolete normative reference: RFC 3490 (Obsoleted by RFC 5890, RFC 5891)
** Obsolete normative reference: RFC 4346 (Obsoleted by RFC 5246)
** Downref: Normative reference to an Informational RFC: RFC 4949
-- Possible downref: Non-RFC (?) normative reference: ref. 'Unicode5'
-- Obsolete informational reference (is this intentional?): RFC 793
(Obsoleted by RFC 9293)
-- Obsolete informational reference (is this intentional?): RFC 2396
(Obsoleted by RFC 3986)
Summary: 10 errors (**), 0 flaws (~~), 10 warnings (==), 4 comments (--).
Run idnits with the --verbose option for more detailed information about
the items above.
--------------------------------------------------------------------------------
2 Network Working Group J. Hodges
3 Internet-Draft PayPal
4 Intended status: Standards Track C. Jackson
5 Expires: December 19, 2010 Carnegie Mellon University
6 A. Barth
7 University of California
8 Berkeley
9 June 17, 2010
11 HTTP Strict Transport Security
12 draft-hodges-strict-transport-sec-00
14 Abstract
16 This specification defines a mechanism enabling Web sites to declare
17 themselves accessible only via secure connections, and/or for users
18 to be able to direct their user agent(s) to interact with given sites
19 only over secure connections. This overall policy is referred to as
20 Strict Transport Security (STS). The policy is declared by Web sites
21 via the Strict-Transport-Security HTTP Response Header Field.
23 Status of this Memo
25 This Internet-Draft is submitted in full conformance with the
26 provisions of BCP 78 and BCP 79.
28 Internet-Drafts are working documents of the Internet Engineering
29 Task Force (IETF). Note that other groups may also distribute
30 working documents as Internet-Drafts. The list of current Internet-
31 Drafts is at http://datatracker.ietf.org/drafts/current/.
33 Internet-Drafts are draft documents valid for a maximum of six months
34 and may be updated, replaced, or obsoleted by other documents at any
35 time. It is inappropriate to use Internet-Drafts as reference
36 material or to cite them other than as "work in progress."
38 This Internet-Draft will expire on December 19, 2010.
40 Copyright Notice
42 Copyright (c) 2010 IETF Trust and the persons identified as the
43 document authors. All rights reserved.
45 This document is subject to BCP 78 and the IETF Trust's Legal
46 Provisions Relating to IETF Documents
47 (http://trustee.ietf.org/license-info) in effect on the date of
48 publication of this document. Please review these documents
49 carefully, as they describe your rights and restrictions with respect
50 to this document. Code Components extracted from this document must
51 include Simplified BSD License text as described in Section 4.e of
52 the Trust Legal Provisions and are provided without warranty as
53 described in the Simplified BSD License.
55 Table of Contents
57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
58 2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
59 2.1. Use Cases . . . . . . . . . . . . . . . . . . . . . . . . 5
60 2.2. Strict Transport Security Policy Effects . . . . . . . . . 5
61 2.3. Threat Model . . . . . . . . . . . . . . . . . . . . . . . 5
62 2.3.1. Threats Addressed . . . . . . . . . . . . . . . . . . 6
63 2.3.1.1. Passive Network Attackers . . . . . . . . . . . . 6
64 2.3.1.2. Active Network Attackers . . . . . . . . . . . . . 6
65 2.3.1.3. Web Site Development and Deployment Bugs . . . . . 6
66 2.3.2. Threats Not Addressed . . . . . . . . . . . . . . . . 7
67 2.3.2.1. Phishing . . . . . . . . . . . . . . . . . . . . . 7
68 2.3.2.2. Malware and Browser Vulnerabilities . . . . . . . 7
69 2.4. Requirements . . . . . . . . . . . . . . . . . . . . . . . 7
70 2.4.1. Overall Requirement . . . . . . . . . . . . . . . . . 7
71 2.4.1.1. Detailed Core Requirements . . . . . . . . . . . . 8
72 2.4.1.2. Detailed Ancillary Requirements . . . . . . . . . 9
73 3. Conformance Criteria . . . . . . . . . . . . . . . . . . . . . 9
74 3.1. Document Conventions . . . . . . . . . . . . . . . . . . . 9
75 4. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 10
76 5. Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
77 5.1. Strict-Transport-Security HTTP Response Header Field . . . 12
78 6. Server Processing Model . . . . . . . . . . . . . . . . . . . 14
79 6.1. HTTP-over-Secure-Transport Request Type . . . . . . . . . 14
80 6.2. HTTP Request Type . . . . . . . . . . . . . . . . . . . . 15
81 7. User Agent Processing Model . . . . . . . . . . . . . . . . . 15
82 7.1. Strict-Transport-Security Response Header Field
83 Processing . . . . . . . . . . . . . . . . . . . . . . . . 15
84 7.1.1. Noting a STS Server . . . . . . . . . . . . . . . . . 16
85 7.1.2. Known STS Server Domain Name Matching . . . . . . . . 16
86 7.2. URI Loading . . . . . . . . . . . . . . . . . . . . . . . 17
87 7.3. Errors in Secure Transport Establishment . . . . . . . . . 18
88 7.4. HTTP-Equiv Element Attribute . . . . . . . . . . . 18
89 8. Domain Name ToASCII Conversion Operation . . . . . . . . . . . 18
90 9. Server Implementation Advice . . . . . . . . . . . . . . . . . 18
91 10. UA Implementation Advice . . . . . . . . . . . . . . . . . . . 19
92 11. Constructing an Effective Request URI . . . . . . . . . . . . 21
93 12. Security Considerations . . . . . . . . . . . . . . . . . . . 22
94 12.1. Denial of Service (DoS) . . . . . . . . . . . . . . . . . 22
95 12.2. Bootstrap MITM Vulnerability . . . . . . . . . . . . . . . 22
96 12.3. Network Time Attacks . . . . . . . . . . . . . . . . . . . 22
97 12.4. Bogus Root CA Certificate Phish plus DNS Cache
98 Poisoning Attack . . . . . . . . . . . . . . . . . . . . . 23
99 13. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 23
100 14. Design Decision Notes . . . . . . . . . . . . . . . . . . . . 23
101 15. References . . . . . . . . . . . . . . . . . . . . . . . . . . 24
102 15.1. Normative References . . . . . . . . . . . . . . . . . . . 24
103 15.2. Informative References . . . . . . . . . . . . . . . . . . 25
104 Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 26
105 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 26
107 1. Introduction
109 The HTTP protocol [RFC2616] may be used over various transports,
110 typically the Transmission Control Protocol (TCP) [RFC0793].
111 However, TCP does not provide channel integrity protection,
112 confidentiality, nor secure server identification. Thus the Secure
113 Sockets Layer (SSL) protocol [I-D.ietf-tls-ssl-version3] and its
114 successor Transport Layer Security (TLS) [RFC4346], were developed in
115 order to provide channel-oriented security, and are typically layered
116 between application protocols and TCP. [RFC2818] specifies how HTTP
117 is layered onto TLS, and defines the Universal Resource Identifier
118 (URI) scheme of "https" (in practice however, HTTP user agents (UAs)
119 typically offer their users choices among SSL2, SSL3, and TLS for
120 secure transport). URIs themselves are specified in [RFC3986].
122 UAs employ various local security policies with respect to the
123 characteristics of their interactions with web resources depending on
124 (in part) whether they are communicating with a given web resource
125 using HTTP or HTTP-over-a-Secure-Transport. For example, cookies
126 ([RFC2109] and [RFC2965]) may be flagged as Secure. UAs are to send
127 such Secure cookies to their addressed server only over a secure
128 transport. This is in contrast to non-Secure cookies, which are
129 returned to the server regardless of transport (although modulo other
130 rules).
132 UAs typically annunciate to their users any issues with secure
133 connection establishment, such as being unable to validate a server
134 certificate trust chain, or if a server certificate is expired, or if
135 a server's domain name appears incorrectly in the server certificate
136 (see section 3.1 of [RFC2818]). Often, UAs provide for users to be
137 able to elect to continue to interact with a web resource in the face
138 of such issues. This behavior is sometimes referred to as
139 "click(ing) through" security [GoodDhamijaEtAl05]
140 [SunshineEgelmanEtAl09], and thus can be described as "click-through
141 insecurity" .
143 Jackson and Barth proposed an approach, in [ForceHTTPS], to enable
144 web sites and/or users to be able to declare that such issues are to
145 be treated as fatal and without direct user recourse. The aim is to
146 prevent users from unintentionally downgrading their security.
148 This specification embodies and refines the approach proposed in
149 [ForceHTTPS], e.g. a HTTP response header field is used to convey
150 site policy to the UA rather than a cookie.
152 2. Overview
154 This section discusses the use cases, summarizes the Strict Transport
155 Security (STS) policy, and continues with a discussion of the threat
156 model, non-addressed threats, and derived requirements.
158 2.1. Use Cases
160 The overall applicable use case here is a combination of these two
161 use cases:
163 o Web browser user wishes to discover, or be introduced to, and/or
164 utilize various web sites (some arbitrary, some known) in a secure
165 fashion.
167 o Web site deployer wishes to offer their site in an explicitly
168 secure fashion for both their own, as well as their users',
169 benefit.
171 2.2. Strict Transport Security Policy Effects
173 The characteristics of the Strict Transport Security policy, as
174 applied by a UA in its interactions with a web site wielding STS
175 Policy, known as a STS Server, is summarized as follows:
177 1. Insecure ("http") connections to a STS Server are redirected by
178 the STS Server to be secure connections ("https").
180 2. The UA terminates, without user recourse, any secure transport
181 connection attempts upon any and all secure transport errors or
182 warnings, including those caused by a site wielding self-signed
183 certificates.
185 3. UAs transform insecure URI references to a STS Server into secure
186 URI references before dereferencing them.
188 2.3. Threat Model
190 STS is concerned with three threat classes: passive network
191 attackers, active network attackers, and imperfect web developers.
192 However, it is explicitly not a remedy for two other classes of
193 threats: phishing and malware. Addressed and not addressed threats
194 are briefly discussed below. Readers may wish refer to [ForceHTTPS]
195 for details as well as relevant citations.
197 2.3.1. Threats Addressed
199 2.3.1.1. Passive Network Attackers
201 When a user browses the web on a wireless network, a nearby attacker
202 can eavesdrop on unencrypted connections, such as HTTP requests.
203 Such a passive network attacker can steal session identifiers and
204 hijack the user's session, by obtaining cookies containing
205 authentication credentials for example. Such passive eavesdropping
206 attacks are easily performed using wireless sniffing toolkits.
208 To mitigate this threat, some sites permit, but usually do not force,
209 access using secure transport -- e.g. by employing "https" URIs.
210 This can lead users to believe that accessing such services using
211 secure transport protects them from passive network attackers.
212 Unfortunately, this is often not the case in real-world deployments
213 as session identifiers are often stored in non-Secure cookies to
214 permit interoperability with versions of the service offered over
215 insecure transport. For example, if the session identifier for a web
216 site (an email service, say) is stored in a non-Secure cookie, it
217 permits an attacker to hijack the user's session if the user makes a
218 single insecure HTTP request to the site.
220 2.3.1.2. Active Network Attackers
222 A determined attacker can mount an active attack, either by
223 impersonating a user's DNS server or, in a wireless network, by
224 spoofing network frames or offering a similarly-named evil twin
225 access point. If the user is behind a wireless home router, an
226 attacker can attempt to reconfigure the router using default
227 passwords and other vulnerabilities. Some sites, such as banks, rely
228 on secure transport to protect themselves and their users from such
229 active attackers. Unfortunately, browsers allow their users to
230 easily opt-out of these protections in order to be usable for sites
231 that incorrectly deploy secure transport, for example by generating
232 and self-signing their own certificates (without also distributing
233 their CA certificate to their users' browsers).
235 2.3.1.3. Web Site Development and Deployment Bugs
237 The security of an otherwise uniformly secure site (i.e. all of its
238 content is materialized via "https" URIs), can be compromised
239 completely by an active attacker exploiting a simple mistake, such as
240 the loading of a cascading style sheet or a SWF movie over an
241 insecure connection (both cascading style sheets and SWF movies can
242 script the embedding page, to the surprise of many web developers --
243 most browsers do not issue mixed content warnings when insecure SWF
244 files are embedded). Even if the site's developers carefully
245 scrutinize their login page for mixed content, a single insecure
246 embedding anywhere on the site compromises the security of their
247 login page because an attacker can script (control) the login page by
248 injecting script into the page with mixed content.
250 Note: "Mixed content" here refers to the same notion referred to as
251 "mixed security context" later elsewhere in this
252 specification.
254 2.3.2. Threats Not Addressed
256 2.3.2.1. Phishing
258 Phishing attacks occur when an attacker solicits authentication
259 credentials from the user by hosting a fake site located on a
260 different domain than the real site, perhaps driving traffic to the
261 fake site by sending a link in an email message. Phishing attacks
262 can be very effective because users find it difficult to distinguish
263 the real site from a fake site. STS is not a defense against
264 phishing per se; rather, it complements many existing phishing
265 defenses by instructing the browser to protect session integrity and
266 long-lived authentication tokens [ForceHTTPS].
268 2.3.2.2. Malware and Browser Vulnerabilities
270 Because STS is implemented as a browser security mechanism, it relies
271 on the trustworthiness of the user's system to protect the session.
272 Malicious code executing on the user's system can compromise a
273 browser session, regardless of whether STS is used.
275 2.4. Requirements
277 This section identifies and enumerates various requirements derived
278 from the use cases and the threats discussed above, and lists the
279 detailed core requirements Strict Transport Security addresses, as
280 well as ancillary requirements that are not directly addressed.
282 2.4.1. Overall Requirement
284 o Minimize the risks to web browser users and web site deployers
285 that are derived from passive and active network attackers, web
286 site development and deployment bugs, as well as insecure user
287 actions.
289 2.4.1.1. Detailed Core Requirements
291 These core requirements are derived from the overall requirement, and
292 are addressed by this specification.
294 1. Web sites need to be able to declare to UAs that they should be
295 interacted with using a strict security policy.
297 2. Web sites need to be able to instruct UAs that contact them
298 insecurely to do so securely.
300 3. UAs need to note web sites that signal strict security policy
301 enablement, for a web site declared time span.
303 4. UAs need to re-write all insecure UA "http" URI loads to use the
304 "https" secure scheme for those web sites for which secure policy
305 is enabled.
307 5. Web site administrators need to be able to signal strict security
308 policy application to subdomains of higher-level domains for
309 which strict security policy is enabled, and UAs need to enforce
310 such policy.
312 6. For example, both example.com and foo.example.com could set
313 policy for bar.foo.example.com.
315 7. UAs need to disallow security policy application to peer domains,
316 and/or higher-level domains, by domains for which strict security
317 policy is enabled.
319 8. For example, neither bar.foo.example.com nor foo.example.com can
320 set policy for example.com, nor can bar.foo.example.com set
321 policy for foo.example.com. Also, foo.example.com cannot set
322 policy for sibling.example.com.
324 9. UAs need to prevent users from clicking-through security
325 warnings. Halting connection attempts in the face of secure
326 transport exceptions is acceptable.
328 Note: A means for uniformly securely meeting the first core
329 requirement above is not specifically addressed by this
330 specification (see Section 12.2 "Bootstrap MITM
331 Vulnerability"). It may be addressed by a future revision of
332 this specification or some other specification. Note also
333 that there are means by which UA implementations may more
334 fully meet the first core requirement, see Section 10 "UA
335 Implementation Advice".
337 2.4.1.2. Detailed Ancillary Requirements
339 These ancillary requirements are also derived from the overall
340 requirement. They are not normatively addressed in this
341 specification, but could be met by UA implementations at their
342 implementor's discretion, although meeting these requirements may be
343 complex.
345 1. Disallow "mixed security context" (also known as "mixed-content")
346 loads (see section 5.3 "Mixed Content" in
347 [W3C.WD-wsc-ui-20100309]).
349 2. Facilitate user declaration of web sites for which strict
350 security policy is enabled, regardless of whether the sites
351 signal STS Policy.
353 3. Conformance Criteria
355 This specification is written for servers and user agents (UAs).
357 As well as sections and appendices marked as non-normative, all
358 diagrams, examples, and notes in this specification are non-
359 normative. Everything else in this specification is normative.
361 In this specification, the words MUST, MUST NOT, MAY, and SHOULD are
362 to be interpreted as described in [RFC2119].
364 A conformant server is one that implements all the requirements
365 listed in this specification that are applicable to servers.
367 A conformant user agent is one that implements all the requirements
368 listed in this specification that are applicable to user agents.
370 3.1. Document Conventions
372 Note: ..is a note to the reader. These are points that should be
373 expressly kept in mind and/or considered.
375 Warning: This is how a warning is shown. These are things that can
376 have suboptimal downside risks if not heeded.
378 [[XXXn: Some of the more major known issues are marked like this
379 (where "n" in "XXXn" is a number). --JeffH]]
381 [[TODOn: Things to fix (where "n" in "TODOn" is a number). --JeffH]]
383 4. Terminology
385 Terminology is defined in this section.
387 ASCII case-insensitive comparison
388 means comparing two strings exactly, codepoint for
389 codepoint, except that the characters in the range
390 U+0041 .. U+005A (i.e. LATIN CAPITAL LETTER A to
391 LATIN CAPITAL LETTER Z) and the corresponding
392 characters in the range U+0061 .. U+007A (i.e.
393 LATIN SMALL LETTER A to LATIN SMALL LETTER Z) are
394 considered to also match. See [Unicode5] for
395 details.
397 codepoint is a colloquial contraction of Code Point, which is
398 any value in the Unicode codespace; that is, the
399 range of integers from 0 to 10FFFF(hex) [Unicode5].
401 Domain Name Domain Names, also referred to as DNS Names, are
402 defined in [RFC1035] to be represented outside of
403 the DNS protocol itself (and implementations
404 thereof) as a series of labels separated by dots,
405 e.g. "example.com" or "yet.another.example.org".
406 In the context of this specification, Domain Names
407 appear in that portion of a URI satisfying the reg-
408 name production in "Appendix A. Collected ABNF for
409 URI" in [RFC3986], and the host component from the
410 Host HTTP header field production in section 14.23
411 of [RFC2616].
413 Note: The Domain Names appearing in actual URI
414 instances and matching the aforementioned
415 production components may or may not be
416 FQDNs.
418 Domain Name Label is that portion of a Domain Name appearing "between
419 the dots", i.e. consider "foo.example.com": "foo",
420 "example", and "com" are all domain name labels.
422 Effective Request URI
423 is a URI that can be constructed by an HTTP server
424 for any given HTTP request sent to it. Some HTTP
425 requests do not contain a contiguous representation
426 of the URI identifying the resource being addressed
427 by the HTTP request. Rather, different portions of
428 a resource's URI may be mapped to both the Request-
429 Line header field and the Host header field in an
430 HTTP request message
432 [I-D.ietf-httpbis-p1-messaging]. The HTTP server
433 coalesces these URI fragments and constructs an
434 equivalent of the Request-URI that was used by the
435 UA to generate the received HTTP request message.
436 See Section 11 "Constructing an Effective Request
437 URI", below.
439 FQDN is an acronym for Fully-qualified Domain Name. A
440 FQDN is a Domain Name that includes all higher
441 level domains relevant to the named entity
442 (typically a STS Server in the context of this
443 specification). If one thinks of the DNS as a
444 tree-structure with each node having its own Domain
445 Name Label, a FQDN for a specific node would be its
446 label followed by the labels of all the other nodes
447 between it and the root of the tree. For example,
448 for a host, a FQDN would include the label that
449 identifies the particular host, plus all domains of
450 which the host is a part, up to and including the
451 top-level domain (the root domain is always null)
452 [RFC1594].
454 Known STS Server is a STS Server for which the UA has an STS Policy
455 in effect.
457 Local policy is comprised of policy rules deployers specify and
458 which are often manifested as "configuration
459 settings".
461 MITM is an acronym for man-in-the-middle. See "man-in-
462 the-middle attack" in [RFC4949].
464 Request URI is the URI used to cause a UA to issue an HTTP
465 request message.
467 Strict Transport Security
468 is the overall name for the combined UA- and
469 server-side security policy defined by this
470 specification.
472 Strict Transport Security Server
473 is a HTTP server implementing the server aspects of
474 the STS policy.
476 Strict Transport Security Policy
477 is the name of the combined overall UA- and server-
478 side facets of the behavior specified by this
479 specification.
481 STS See Strict Transport Security.
483 STS Policy See Strict Transport Security Policy.
485 STS Server See Strict Transport Security Server.
487 UA is a an acronym for user agent. For the purposes
488 of this specification, a UA is an HTTP client
489 application typically actively manipulated by a
490 user [RFC2616] .
492 5. Syntax
494 This section defines the syntax of the new header this specification
495 introduces. It also provides a short description of the function the
496 header.
498 The Section 6 "Server Processing Model" section details how servers
499 are to use this header. Likewise, the Section 7 "User Agent
500 Processing Model" section details how user agents are to use this
501 header.
503 5.1. Strict-Transport-Security HTTP Response Header Field
505 The Strict-Transport-Security HTTP response header field indicates to
506 a UA that it MUST enforce the STS Policy in regards to the server
507 emitting the response message containing this header field.
509 The ABNF syntax for the Strict-Transport-Security HTTP Response
510 Header field is:
512 Strict-Transport-Security =
514 "Strict-Transport-Security" ":" OWS STS-v OWS
516 ; STS value
517 STS-v = STS-d
518 / STS-d *( OWS ";" OWS STS-d OWS)
520 ; STS directive
521 STS-d = STS-d-cur / STS-d-ext
523 ; defined STS directives
524 STS-d-cur = maxAge / includeSubDomains
526 maxAge = "max-age" "=" delta-seconds v-ext
528 includeSubDomains = [ "includeSubDomains" ] v-ext
530 ; extension points
531 STS-d-ext = name ; STS extension directive
533 v-ext = value ; STS extension value
535 name = token
537 value = OWS / %x21-3A / %x3C-7E ; i.e. optional white space, or
538 ; [ ! .. : ] [ < .. ~ ] any visible chars other than ";"
540 ; productions imported from [ID.ietf-httpbis-p1-messaging]:
542 token
544 OWS ; Optional White Space
546 Note: [I-D.ietf-httpbis-p1-messaging] is used as the ABNF basis in
547 order to ensure that the new header has equivalent parsing
548 rules to the header fields defined in that same specification.
549 Also:
551 1. Quoted-string literals in the above ABNF stanza are
552 case-insensitive.
554 2. In order to correctly match the grammar above, the
555 Strict-Transport-Security HTTP Response Header MUST
556 include at least a max-age directive with at least a
557 single-digit value for delta-seconds.
559 max-age specifies the number of seconds, after the recption of the
560 Strict-Transport-Security HTTP Response Header, during which
561 the UA regards the host the message was received from as a
562 Known STS Server (see also Section 7.1.1 "Noting a STS
563 Server", below). The delta-seconds production is specified
564 in [RFC2616].
566 [[TODO1: The above para wrt max-age may need further refinement.
567 --JeffH]]
569 includeSubDomains is a flag which, if present, signals to the UA that
570 the STS Policy applies to this STS Server as well
571 as any subdomains of the server's FQDN.
573 6. Server Processing Model
575 This section describes the processing model that STS Servers
576 implement. The model is comprised of two facets: the first being the
577 processing rules for HTTP request messages received over a secure
578 transport (e.g. TLS [RFC4346], SSL [I-D.ietf-tls-ssl-version3], or
579 perhaps others, the second being the processing rules for HTTP
580 request messages received over non-secure transports, i.e. over
581 TCP/IP [RFC0793].
583 6.1. HTTP-over-Secure-Transport Request Type
585 When replying to an HTTP request that was conveyed over a secure
586 transport, a STS Server SHOULD include in its response message a
587 Strict-Transport-Security HTTP Response Header that MUST satisfy the
588 grammar specified above in Section 5.1 "Strict-Transport-Security
589 HTTP Response Header Field". If a Strict-Transport-Sec HTTP Response
590 Header is included, the STS Server MUST include only one such header.
592 Note: Including the Strict-Transport-Sec HTTP Response Header is
593 stipulated as a "SHOULD" in order to accomodate various
594 server- and network-side caches and load-balancing
595 configurations where it may be difficult to uniformly emit
596 Strict-Transport-Security HTTP Response Headers on behalf of a
597 given STS Server.
599 In order to establish a given host as a Known STS Server in the
600 context of a given UA, the host must correctly return, per this
601 specification, at least one valid Strict-Transport-Security HTTP
602 Response Header to the UA.
604 6.2. HTTP Request Type
606 If a STS Server receives a HTTP request message over a non-secure
607 transport, it SHOULD send a HTTP response message containing a
608 Status-Code of 301 and a Location header field value containing
609 either the HTTP request's original Effective Request URI (see
610 Section 11 Constructing an Effective Request URI, below) altered as
611 necessary to have a URI scheme of "https", or a URI generated
612 according to local policy (which SHOULD employ a URI scheme of
613 "https").
615 A STS Server MUST NOT include the Strict-Transport-Security HTTP
616 Response Header in HTTP responses conveyed over a non-secure
617 transport.
619 7. User Agent Processing Model
621 This section describes the Strict Transport Security processing model
622 for UAs. There are several facets to the model, enumerated by the
623 following subsections.
625 Also, this processing model assumes that all Domain Names manipulated
626 in this specification's context are already in ASCII Compatible
627 Encoding (ACE) format as specified in [RFC3490]. If this is not the
628 case in some situation, use the operation given in Section 8 "Domain
629 Name ToASCII Conversion Operation" to convert any encountered
630 internationalized Domain Names to ACE format before processing them.
632 7.1. Strict-Transport-Security Response Header Field Processing
634 If an HTTP response, received over a secure transport, includes a
635 Strict-Transport-Security HTTP Response Header field, conforming to
636 the grammar specified in Section 5.1 "Strict-Transport-Security HTTP
637 Response Header Field" (above), and there are no underlying secure
638 transport errors or warnings, the UA MUST either:
640 o Note the server as a Known STS Server if it is not already so
641 noted (see Section 7.1.1 "Noting a STS Server", below),
643 or,
645 o Update its cached information for the Known STS Server if the max-
646 age and/or includeSubDomains header field value tokens are
647 conveying information different than that already maintained by
648 the UA.
650 Note: The max-age value is essentially a "time to live" value
651 relative to the reception time of the Strict-Transport-
652 Security HTTP Response Header.
654 [[TODO2: Decide UA behavior in face of encountering multiple STS
655 headers in a message. Use first header? Last? --=JeffH]]
657 Otherwise:
659 o If an HTTP response is received over insecure transport, the UA
660 MUST ignore any present Strict-Transport-Security HTTP Response
661 Header(s).
663 o The UA MUST ignore any Strict-Transport-Security HTTP Response
664 Headers not conforming to the grammar specified in Section 5.1
665 "Strict-Transport-Security HTTP Response Header Field" (above).
667 7.1.1. Noting a STS Server
669 If the substring matching the host production from the Request-URI,
670 that the server responded to, syntactically matches the IP-literal or
671 IPv4address productions from section 3.2.2 of [RFC3986], then the UA
672 MUST NOT note this server as a Known STS Server.
674 Otherwise, if the substring does not congruently match a presently
675 known STS Server, per the matching procedure specified in
676 Section 7.1.2 "Known STS Server Domain Name Matching" below, then the
677 UA MUST note this server as a Known STS Server, caching the STS
678 Server's Domain Name and noting along with it the expiry time of this
679 information, as effectively stipulated per the given max-age value,
680 as well as whether the includeSubDomains flag is asserted or not.
682 7.1.2. Known STS Server Domain Name Matching
684 A UA determines whether a Domain Name represents a Known STS Server
685 by looking for a match between the query Domain Name and the UA's set
686 of Known STS Servers.
688 1. Compare the query Domain Name string with the Domain Names of the
689 UA's set of Known STS Servers. For each Known STS Server's
690 Domain Name, the comparison is done with the query Domain Name
691 label-by-label using an ASCII case-insensitive comparison
692 beginning with the rightmost label, and continuing right-to-left,
693 and ignoring separator characters (see clause 3.1(4) of
694 [RFC3986].
696 * If a label-for-label match between an entire Known STS
697 Server's Domain Name and a right-hand portion of the query
698 Domain Name is found, then the Known STS Server's Domain Name
699 is a superdomain match for the query Domain Name.
701 For example:
703 Query Domain Name: bar.foo.example.com
705 Superdomain matched
706 Known STS Server DN: foo.example.com
708 At this point, the query Domain Name is ascertained to
709 effectively represent a Known STS Server. There may also be
710 additional matches further down the Domain Name Label tree, up
711 to and including a congruent match.
713 * If a label-for-label match between a Known STS Server's Domain
714 Name and the query domain name is found, i.e. there are no
715 further labels to compare, then the query Domain Name
716 congruently matches this Known STS Server.
718 For example:
720 Query Domain Name: foo.example.com
722 Congruently matched
723 Known STS Server DN: foo.example.com
725 The query Domain Name is ascertained to represent a Known STS
726 Server. However, if there are also superdomain matches, the
727 one highest in the tree asserts the STS Policy for this Known
728 STS Server.
730 * Otherwise, if no matches are found, the query Domain Name does
731 not represent a Known STS Server.
733 7.2. URI Loading
735 Whenever the UA prepares to "load", also known as "dereference", any
736 URI where the host production of the URI [RFC3986] matches that of a
737 Known STS Server -- either as a congruent match or as a superdomain
738 match where the superdomain Known STS Server has includeSubDomains
739 asserted -- and the URI's scheme is "http", then replace the URI
740 scheme with "https" before proceeding with the load.
742 7.3. Errors in Secure Transport Establishment
744 When connecting to a Known STS Server, the UA MUST terminate the
745 connection with no user recourse if there are any errors (e.g.
746 certificate errors), whether "warning" or "fatal" or any other error
747 level, with the underlying secure transport.
749 7.4. HTTP-Equiv Element Attribute
751 UAs MUST NOT heed http-equiv="Strict-Transport-Security" attribute
752 settings on elements in received content.
754 8. Domain Name ToASCII Conversion Operation
756 This operation converts a string-serialized Domain Name possibly
757 containing arbitrary Unicode characters [Unicode5] into a string-
758 serialized Domain Name in ASCII Compatible Encoding (ACE) format as
759 specified in [RFC3490].
761 The operation is:
763 o Apply the IDNA conversion operation (section 4 of [RFC3490]) to
764 the string, selecting the ToASCII operation and setting both the
765 AllowUnassigned and UseSTD3ASCIIRules flags.
767 9. Server Implementation Advice
769 STS Policy expiration time considerations:
771 o Server implementations and deploying web sites need to consider
772 whether they are setting an expiry time that is a constant value
773 into the future, e.g. by constantly sending the same max-age value
774 to UAs. Or, whether they are setting an expiry time that is a
775 fixed point in time, e.g. by sending max-age values that represent
776 the remaining time until the expiry time.
778 o A consideration here is whether a deployer wishes to have signaled
779 STS Policy expiry time match that for the web site's domain
780 certificate.
782 Considerations for using Strict Transport Security in conjunction
783 with self-signed public-key certificates:
785 o If a web site/organization/enterprise is generating their own
786 secure transport public-key certificates for web sites, and that
787 organization's root certificate authority (CA) certificate is not
788 typically embedded by default in browser CA certificate stores,
789 and if STS Policy is enabled on a site wielding that
790 organization's certificates, then secure connections to that site
791 will fail without user recourse, per the STS design. This is to
792 protect against various active attacks, as discussed above.
794 o However, if said organization strongly wishes to employ self-
795 signed certificates, and their own CA in concert with STS, they
796 can do so by deploying their root CA certificate to their users'
797 browsers. There are various ways in which this can be
798 accomplished (details are out of scope for this specification).
799 Once their root CA cert is installed in the browsers, they may
800 employ STS Policy on their site(s).
802 Note: Interactively distributing root CA certs to users, e.g. via
803 email, and having the users install them, is arguably
804 training the users to be susceptible to a possible form of
805 phishing attack, see Section 12.4 "Bogus Root CA
806 Certificate Phish plus DNS Cache Poisoning Attack".
808 10. UA Implementation Advice
810 Notes for STS Server implementors:
812 o A simplistic approach to enabling STS policy for one's web site is
813 to configure one's web server to return a Strict-Transport-
814 Security HTTP Response Header with a constant max-age value. For
815 exmple:
817 Strict-Transport-Security: max-age=778000
819 A max-age value of 778000 is 90 days. Note that each receipt of
820 this header by a UA will require the UA to update its notion of
821 when it must delete its knowledge of this Known STS Server. The
822 specifics of how this is accomplished is out of the scope of this
823 specification.
825 In order to provide users and web sites more effective protection, UA
826 implementors should consider including features such as:
828 o Disallowing "mixed security context" (also known as "mixed-
829 content") loads (see section 5.3 "Mixed Content" in
830 [W3C.WD-wsc-ui-20100309]).
832 Note: In order to provide behavioral uniformity across UA
833 implementations, the notion of mixed security context aka
834 mixed-content will require (further) standardization work,
835 e.g. to more clearly define the term(s) and to define
836 specific behaviors with respect to it.
838 In order to provide users effective controls for managing their UA's
839 caching of STS Policy, UA implementors should consider including
840 features such as:
842 o Ability to delete UA's cached STS Policy on a per STS Server
843 basis.
845 In order to provide users and web sites more complete protection, UAs
846 could offer advanced features such as these:
848 o Ability for users to explicitly declare a given Domain Name as
849 representing a STS Server, thus seeding it as a Known STS Server
850 before any actual interaction with it. This would help protect
851 against the Section 12.2 "Bootstrap MITM Vulnerability".
853 Note: Such a feature is difficult to get right on a per-site
854 basis -- see the discussion of "rewrite rules" in section
855 5.5 of [ForceHTTPS]. For example, arbitrary web sites may
856 not materialize all their URIs using the "https" scheme,
857 and thus could "break" if a UA were to attempt to access
858 the site exclusively using such URIs. Also note that this
859 feature would complement, but is independent of the
860 following described facility.
862 o Facility whereby web site administrators can have UAs pre-
863 configured with STS Policy for their site(s) by the UA vendor(s)
864 -- in a manner similar to how root CA certificates are embedded in
865 browsers "at the factory". This would help protect against the
866 Section 12.2 "Bootstrap MITM Vulnerability".
868 Note: Such a facility complements the preceding described
869 feature.
871 [[XXX2: These latter items beg the question of having some means of
872 secure web site metadata and policy discovery and acquisition. There
873 is extant work that may be of interest, e.g. the W3C POWDER work,
874 OASIS XRI/XRD work (as well as XRDS-Simple), and "Link-based Resource
875 Descriptor Discovery" (draft-hammer-discovery). --JeffH]]
877 11. Constructing an Effective Request URI
879 This section specifies how an STS Server must construct the Effective
880 Request URI for a received HTTP request.
882 The first line of an HTTP request message is specified by the
883 following ABNF ([I-D.ietf-httpbis-p1-messaging] section 4.1):
885 Request-Line = Method SP request-target SP HTTP-Version CRLF
887 The request-target is following ABNF ([I-D.ietf-httpbis-p1-messaging]
888 section 4.1.2):
890 request-target = "*"
891 / absolute-URI
892 / ( path-absolute [ "?" query ] )
893 / authority
895 Additionally, many HTTP requests contain an additional Host request
896 header field. It is specified by the following ABNF
897 ([I-D.ietf-httpbis-p1-messaging] section 4.1.2):
899 Host = "Host:" OWS Host-v
900 Host-v = uri-host [ ":" port ]
902 Thus an example HTTP message containing the above header fields is:
904 GET /hello.txt HTTP/1.1
905 Host: www.example.com
907 Another example is:
909 GET HTTP://www.example.com/hello.txt HTTP/1.1
911 An STS Server constructs the Effective Request URI using the
912 following ABNF grammar (which imports some productions from the above
913 ABNF for Request-Line, request-target, and Host:
915 Effective-Request-URI = absolute-URI-present / path-absolute-form
917 absolute-URI-present = absolute-URI
919 path-absolute-form = scheme "://" Host-v path-absolute [ "?" query ]
921 where:
923 scheme is "http" if the request was received over
924 insecure transport, or scheme is "https" if the
925 request was received over secure transport.
927 For example, if the request message contains a request-target
928 component that matches the grammar of absolute-URI, then the
929 Effective-Request-URI is simply the value of the absolute-URI
930 component. Otherwise, the Effective-Request-URI is a combination,
931 per the path-absolute-form production, of the Host-v, path-absolute,
932 and query components from the request-target and Host components of
933 the request message.
935 [[TODO3: This is a first SWAG at this section. Fix/add prose as
936 appropriate, fix ABNF as needed per review. --JeffH]]
938 12. Security Considerations
940 12.1. Denial of Service (DoS)
942 STS could be used to mount certain forms of DoS attacks, where
943 attackers set fake STS headers on legitimate sites available only
944 insecurely (e.g. social network service sites, wikis, etc.).
946 12.2. Bootstrap MITM Vulnerability
948 The bootstrap MITM (Man-In-The-Middle) vulnerability is a
949 vulnerability users and STS Servers encounter in the situation where
950 the user manually enters, or follows a link, to a STS Server using a
951 "http" URI rather than a "https" URI. Because the UA uses an
952 insecure channel in the initial attempt to interact with the
953 specified serve, such an initial interaction is vulnerable to various
954 attacks [ForceHTTPS] .
956 Note: There are various features/facilities that UA implementations
957 may employ in order to mitigate this vulnerability. Please
958 see Section 10 UA Implementation Advice.
960 12.3. Network Time Attacks
962 Active network attacks can subvert network time protocols (like NTP)
963 - making this header less effective against clients that trust NTP
964 and/or lack a real time clock. Network time attacks are therefore
965 beyond the scope of the defense. Note that modern operating systems
966 use NTP by default.
968 12.4. Bogus Root CA Certificate Phish plus DNS Cache Poisoning Attack
970 If an attacker can convince users of, say, https://bank.example.com
971 (which is protected by STS Policy), to install their own version of a
972 root CA certificate purporting to be bank.example.com's CA, e.g. via
973 a phishing email message with a link to such a certificate -- then,
974 if they can perform an attack on the users' DNS, e.g. via cache
975 poisoning, and turn on STS Policy for their fake bank.example.com
976 site, then they have themselves some new users.
978 13. IANA Considerations
980 Below is the Internet Assigned Numbers Authority (IANA) Provisional
981 Message Header Field registration information per [RFC3864].
983 Header field name: Strict-Transport-Security
984 Applicable protocol: HTTP
985 Status: provisional
986 Author/Change controller: TBD
987 Specification document(s): this one
989 14. Design Decision Notes
991 This appendix documents various design decisions.
993 1. Cookies aren't appropriate for STS Policy expression as they are
994 potentially mutable (while stored in the UA), therefore an HTTP
995 header field is employed.
997 2. We chose to not attempt to specify how "mixed security context
998 loads" (aka "mixed-content loads") are handled due to UA
999 implementation considerations as well as classification
1000 difficulties.
1002 3. A STS Server may update UA notions of STS Policy via new STS
1003 header field values. We chose to have UAs honor the "freshest"
1004 information received from a server because there is the chance of
1005 a web site sending out an errornous STS Policy, such as a multi-
1006 year max-age value, and/or an incorrect includeSubDomains flag.
1007 If the STS Server couldn't correct such errors over protocol, it
1008 would require some form of annunciation to users and manual
1009 intervention on their part, which could be a non-trivial problem.
1011 4. STS Servers are identified only via Domain Names -- explicit IP
1012 address identification of all forms is excluded. This is for
1013 simplification and also is in recognition of various issues with
1014 using direct IP address identification in concert with PKI-based
1015 security.
1017 15. References
1019 15.1. Normative References
1021 [I-D.ietf-httpbis-p1-messaging]
1022 Fielding, R., Gettys, J., Mogul, J., Nielsen, H.,
1023 Masinter, L., Leach, P., Berners-Lee, T., and J. Reschke,
1024 "HTTP/1.1, part 1: URIs, Connections, and Message
1025 Parsing", draft-ietf-httpbis-p1-messaging-09 (work in
1026 progress), March 2010.
1028 [RFC1035] Mockapetris, P., "Domain names - implementation and
1029 specification", STD 13, RFC 1035, November 1987.
1031 [RFC1594] Marine, A., Reynolds, J., and G. Malkin, "FYI on Questions
1032 and Answers - Answers to Commonly asked "New Internet
1033 User" Questions", RFC 1594, March 1994.
1035 [RFC1983] Malkin, G., "Internet Users' Glossary", RFC 1983,
1036 August 1996.
1038 [RFC2109] Kristol, D. and L. Montulli, "HTTP State Management
1039 Mechanism", RFC 2109, February 1997.
1041 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
1042 Requirement Levels", BCP 14, RFC 2119, March 1997.
1044 [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H.,
1045 Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext
1046 Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999.
1048 [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000.
1050 [RFC2965] Kristol, D. and L. Montulli, "HTTP State Management
1051 Mechanism", RFC 2965, October 2000.
1053 [RFC3454] Hoffman, P. and M. Blanchet, "Preparation of
1054 Internationalized Strings ("stringprep")", RFC 3454,
1055 December 2002.
1057 [RFC3490] Faltstrom, P., Hoffman, P., and A. Costello,
1058 "Internationalizing Domain Names in Applications (IDNA)",
1059 RFC 3490, March 2003.
1061 [RFC3492] Costello, A., "Punycode: A Bootstring encoding of Unicode
1062 for Internationalized Domain Names in Applications
1063 (IDNA)", RFC 3492, March 2003.
1065 [RFC3864] Klyne, G., Nottingham, M., and J. Mogul, "Registration
1066 Procedures for Message Header Fields", BCP 90, RFC 3864,
1067 September 2004.
1069 [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
1070 Resource Identifier (URI): Generic Syntax", STD 66,
1071 RFC 3986, January 2005.
1073 [RFC4346] Dierks, T. and E. Rescorla, "The Transport Layer Security
1074 (TLS) Protocol Version 1.1", RFC 4346, April 2006.
1076 [RFC4949] Shirey, R., "Internet Security Glossary, Version 2",
1077 RFC 4949, August 2007.
1079 [Unicode5]
1080 The Unicode Consortium, "The Unicode Standard, Version
1081 5.0", Boston, MA, Addison-Wesley ISBN 0-321-48091-0, 2007.
1083 [W3C.WD-html5-20100304]
1084 Hyatt, D. and I. Hickson, "HTML5", World Wide Web
1085 Consortium WD WD-html5-20100304, March 2010,
1086 .
1088 15.2. Informative References
1090 [ForceHTTPS]
1091 Jackson, C. and A. Barth, "ForceHTTPS: Protecting High-
1092 Security Web Sites from Network Attacks", In Proceedings
1093 of the 17th International World Wide Web Conference
1094 (WWW2008) , 2008,
1095 .
1097 [GoodDhamijaEtAl05]
1098 Good, N., Dhamija, R., Grossklags, J., Thaw, D.,
1099 Aronowitz, S., Mulligan, D., and J. Konstan, "Stopping
1100 Spyware at the Gate: A User Study of Privacy, Notice and
1101 Spyware", In Proceedings of Symposium On Usable Privacy
1102 and Security (SOUPS) Pittsburgh, PA, USA, July 2005, .
1106 [I-D.ietf-tls-ssl-version3]
1107 Freier, A., Karlton, P., and P. Kocher, "The SSL Protocol
1108 Version 3.0", draft-ietf-tls-ssl-version3 (work in
1109 progress), November 1996, .
1112 [RFC0793] Postel, J., "Transmission Control Protocol", STD 7,
1113 RFC 793, September 1981.
1115 [RFC2396] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
1116 Resource Identifiers (URI): Generic Syntax", RFC 2396,
1117 August 1998.
1119 [SunshineEgelmanEtAl09]
1120 Sunshine, J., Egelman, S., Almuhimedi, H., Atri, N., and
1121 L. Cranor, "Crying Wolf: An Empirical Study of SSL Warning
1122 Effectiveness", In Proceedings of 18th USENIX Security
1123 Symposium Montreal, Canada, Augus 2009, .
1127 [W3C.WD-wsc-ui-20100309]
1128 Saldhana, A. and T. Roessler, "Web Security Context: User
1129 Interface Guidelines", World Wide Web Consortium
1130 LastCall WD-wsc-ui-20100309, March 2010,
1131 .
1133 Appendix A. Acknowledgments
1135 This appendix is non-normative.
1137 The authors thank Michael Barrett, Sid Stamm, Maciej Stachowiak, Andy
1138 Steingrubl, Brandon Sterne, Daniel Veditz for their review and
1139 contributions.
1141 Authors' Addresses
1143 Jeff Hodges
1144 PayPal
1146 Email: Jeff.Hodges@PayPal.com
1148 Collin Jackson
1149 Carnegie Mellon University
1151 Email: collin.jackson@sv.cmu.edu
1152 Adam Barth
1153 University of California Berkeley
1155 Email: abarth@eecs.berkeley.edu