idnits 2.17.1
draft-hodges-strict-transport-sec-01.txt:
Checking boilerplate required by RFC 5378 and the IETF Trust (see
https://trustee.ietf.org/license-info):
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/checklist :
----------------------------------------------------------------------------
No issues found here.
Miscellaneous warnings:
----------------------------------------------------------------------------
== The copyright year in the IETF Trust and authors Copyright Line does not
match the current year
== Line 457 has weird spacing: '... Server is a ...'
== Line 562 has weird spacing: '...max-age speci...'
== The document seems to lack the recommended RFC 2119 boilerplate, even if
it appears to use RFC 2119 keywords.
(The document does seem to have the reference to RFC 2119 which the
ID-Checklist requires).
-- The document date (June 23, 2010) is 5028 days in the past. Is this
intentional?
Checking references for intended status: Proposed Standard
----------------------------------------------------------------------------
(See RFCs 3967 and 4897 for information about using normative references
to lower-maturity documents in RFCs)
== Missing Reference: 'ID.ietf-httpbis-p1-messaging' is mentioned on line
543, but not defined
== Unused Reference: 'RFC1983' is defined on line 1038, but no explicit
reference was found in the text
== Unused Reference: 'RFC3454' is defined on line 1056, but no explicit
reference was found in the text
== Unused Reference: 'RFC3492' is defined on line 1064, but no explicit
reference was found in the text
== Unused Reference: 'RFC2396' is defined on line 1122, but no explicit
reference was found in the text
== Outdated reference: A later version (-26) exists of
draft-ietf-httpbis-p1-messaging-09
** Obsolete normative reference: RFC 1594 (Obsoleted by RFC 2664)
** Downref: Normative reference to an Informational RFC: RFC 1983
** Obsolete normative reference: RFC 2109 (Obsoleted by RFC 2965)
** Obsolete normative reference: RFC 2616 (Obsoleted by RFC 7230, RFC 7231,
RFC 7232, RFC 7233, RFC 7234, RFC 7235)
** Obsolete normative reference: RFC 2818 (Obsoleted by RFC 9110)
** Obsolete normative reference: RFC 2965 (Obsoleted by RFC 6265)
** Obsolete normative reference: RFC 3454 (Obsoleted by RFC 7564)
** Obsolete normative reference: RFC 3490 (Obsoleted by RFC 5890, RFC 5891)
** Obsolete normative reference: RFC 4346 (Obsoleted by RFC 5246)
** Downref: Normative reference to an Informational RFC: RFC 4949
-- Possible downref: Non-RFC (?) normative reference: ref. 'Unicode5'
-- Obsolete informational reference (is this intentional?): RFC 793
(Obsoleted by RFC 9293)
-- Obsolete informational reference (is this intentional?): RFC 2396
(Obsoleted by RFC 3986)
Summary: 10 errors (**), 0 flaws (~~), 10 warnings (==), 4 comments (--).
Run idnits with the --verbose option for more detailed information about
the items above.
--------------------------------------------------------------------------------
2 Network Working Group J. Hodges
3 Internet-Draft PayPal
4 Intended status: Standards Track C. Jackson
5 Expires: December 25, 2010 Carnegie Mellon University
6 A. Barth
7 University of California
8 Berkeley
9 June 23, 2010
11 HTTP Strict Transport Security
12 draft-hodges-strict-transport-sec-01
14 Abstract
16 This specification defines a mechanism enabling Web sites to declare
17 themselves accessible only via secure connections, and/or for users
18 to be able to direct their user agent(s) to interact with given sites
19 only over secure connections. This overall policy is referred to as
20 Strict Transport Security (STS). The policy is declared by Web sites
21 via the Strict-Transport-Security HTTP Response Header Field.
23 Status of this Memo
25 This Internet-Draft is submitted in full conformance with the
26 provisions of BCP 78 and BCP 79.
28 Internet-Drafts are working documents of the Internet Engineering
29 Task Force (IETF). Note that other groups may also distribute
30 working documents as Internet-Drafts. The list of current Internet-
31 Drafts is at http://datatracker.ietf.org/drafts/current/.
33 Internet-Drafts are draft documents valid for a maximum of six months
34 and may be updated, replaced, or obsoleted by other documents at any
35 time. It is inappropriate to use Internet-Drafts as reference
36 material or to cite them other than as "work in progress."
38 This Internet-Draft will expire on December 25, 2010.
40 Copyright Notice
42 Copyright (c) 2010 IETF Trust and the persons identified as the
43 document authors. All rights reserved.
45 This document is subject to BCP 78 and the IETF Trust's Legal
46 Provisions Relating to IETF Documents
47 (http://trustee.ietf.org/license-info) in effect on the date of
48 publication of this document. Please review these documents
49 carefully, as they describe your rights and restrictions with respect
50 to this document. Code Components extracted from this document must
51 include Simplified BSD License text as described in Section 4.e of
52 the Trust Legal Provisions and are provided without warranty as
53 described in the Simplified BSD License.
55 Table of Contents
57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
58 2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
59 2.1. Use Cases . . . . . . . . . . . . . . . . . . . . . . . . 5
60 2.2. Strict Transport Security Policy Effects . . . . . . . . . 5
61 2.3. Threat Model . . . . . . . . . . . . . . . . . . . . . . . 5
62 2.3.1. Threats Addressed . . . . . . . . . . . . . . . . . . 6
63 2.3.1.1. Passive Network Attackers . . . . . . . . . . . . 6
64 2.3.1.2. Active Network Attackers . . . . . . . . . . . . . 6
65 2.3.1.3. Web Site Development and Deployment Bugs . . . . . 6
66 2.3.2. Threats Not Addressed . . . . . . . . . . . . . . . . 7
67 2.3.2.1. Phishing . . . . . . . . . . . . . . . . . . . . . 7
68 2.3.2.2. Malware and Browser Vulnerabilities . . . . . . . 7
69 2.4. Requirements . . . . . . . . . . . . . . . . . . . . . . . 7
70 2.4.1. Overall Requirement . . . . . . . . . . . . . . . . . 7
71 2.4.1.1. Detailed Core Requirements . . . . . . . . . . . . 8
72 2.4.1.2. Detailed Ancillary Requirements . . . . . . . . . 9
73 3. Conformance Criteria . . . . . . . . . . . . . . . . . . . . . 9
74 3.1. Document Conventions . . . . . . . . . . . . . . . . . . . 9
75 4. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 10
76 5. Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
77 5.1. Strict-Transport-Security HTTP Response Header Field . . . 12
78 6. Server Processing Model . . . . . . . . . . . . . . . . . . . 14
79 6.1. HTTP-over-Secure-Transport Request Type . . . . . . . . . 14
80 6.2. HTTP Request Type . . . . . . . . . . . . . . . . . . . . 15
81 7. User Agent Processing Model . . . . . . . . . . . . . . . . . 15
82 7.1. Strict-Transport-Security Response Header Field
83 Processing . . . . . . . . . . . . . . . . . . . . . . . . 15
84 7.1.1. Noting a STS Server . . . . . . . . . . . . . . . . . 16
85 7.1.2. Known STS Server Domain Name Matching . . . . . . . . 16
86 7.2. URI Loading . . . . . . . . . . . . . . . . . . . . . . . 17
87 7.3. Errors in Secure Transport Establishment . . . . . . . . . 18
88 7.4. HTTP-Equiv Element Attribute . . . . . . . . . . . 18
89 8. Domain Name ToASCII Conversion Operation . . . . . . . . . . . 18
90 9. Server Implementation Advice . . . . . . . . . . . . . . . . . 18
91 10. UA Implementation Advice . . . . . . . . . . . . . . . . . . . 19
92 11. Constructing an Effective Request URI . . . . . . . . . . . . 21
93 12. Security Considerations . . . . . . . . . . . . . . . . . . . 22
94 12.1. Denial of Service (DoS) . . . . . . . . . . . . . . . . . 22
95 12.2. Bootstrap MITM Vulnerability . . . . . . . . . . . . . . . 22
96 12.3. Network Time Attacks . . . . . . . . . . . . . . . . . . . 22
97 12.4. Bogus Root CA Certificate Phish plus DNS Cache
98 Poisoning Attack . . . . . . . . . . . . . . . . . . . . . 23
99 13. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 23
100 14. Design Decision Notes . . . . . . . . . . . . . . . . . . . . 23
101 15. References . . . . . . . . . . . . . . . . . . . . . . . . . . 24
102 15.1. Normative References . . . . . . . . . . . . . . . . . . . 24
103 15.2. Informative References . . . . . . . . . . . . . . . . . . 25
104 Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 26
105 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 26
107 1. Introduction
109 [ Please disscuss this draft on the hasmat@ietf.org mailing list
110 [HASMAT]. ]
112 The HTTP protocol [RFC2616] may be used over various transports,
113 typically the Transmission Control Protocol (TCP) [RFC0793].
114 However, TCP does not provide channel integrity protection,
115 confidentiality, nor secure server identification. Thus the Secure
116 Sockets Layer (SSL) protocol [I-D.ietf-tls-ssl-version3] and its
117 successor Transport Layer Security (TLS) [RFC4346], were developed in
118 order to provide channel-oriented security, and are typically layered
119 between application protocols and TCP. [RFC2818] specifies how HTTP
120 is layered onto TLS, and defines the Universal Resource Identifier
121 (URI) scheme of "https" (in practice however, HTTP user agents (UAs)
122 typically offer their users choices among SSL2, SSL3, and TLS for
123 secure transport). URIs themselves are specified in [RFC3986].
125 UAs employ various local security policies with respect to the
126 characteristics of their interactions with web resources depending on
127 (in part) whether they are communicating with a given web resource
128 using HTTP or HTTP-over-a-Secure-Transport. For example, cookies
129 ([RFC2109] and [RFC2965]) may be flagged as Secure. UAs are to send
130 such Secure cookies to their addressed server only over a secure
131 transport. This is in contrast to non-Secure cookies, which are
132 returned to the server regardless of transport (although modulo other
133 rules).
135 UAs typically annunciate to their users any issues with secure
136 connection establishment, such as being unable to validate a server
137 certificate trust chain, or if a server certificate is expired, or if
138 a server's domain name appears incorrectly in the server certificate
139 (see section 3.1 of [RFC2818]). Often, UAs provide for users to be
140 able to elect to continue to interact with a web resource in the face
141 of such issues. This behavior is sometimes referred to as
142 "click(ing) through" security [GoodDhamijaEtAl05]
143 [SunshineEgelmanEtAl09], and thus can be described as "click-through
144 insecurity" .
146 Jackson and Barth proposed an approach, in [ForceHTTPS], to enable
147 web sites and/or users to be able to declare that such issues are to
148 be treated as fatal and without direct user recourse. The aim is to
149 prevent users from unintentionally downgrading their security.
151 This specification embodies and refines the approach proposed in
152 [ForceHTTPS], e.g. a HTTP response header field is used to convey
153 site policy to the UA rather than a cookie.
155 2. Overview
157 This section discusses the use cases, summarizes the Strict Transport
158 Security (STS) policy, and continues with a discussion of the threat
159 model, non-addressed threats, and derived requirements.
161 2.1. Use Cases
163 The overall applicable use case here is a combination of these two
164 use cases:
166 o Web browser user wishes to discover, or be introduced to, and/or
167 utilize various web sites (some arbitrary, some known) in a secure
168 fashion.
170 o Web site deployer wishes to offer their site in an explicitly
171 secure fashion for both their own, as well as their users',
172 benefit.
174 2.2. Strict Transport Security Policy Effects
176 The characteristics of the Strict Transport Security policy, as
177 applied by a UA in its interactions with a web site wielding STS
178 Policy, known as a STS Server, is summarized as follows:
180 1. Insecure ("http") connections to a STS Server are redirected by
181 the STS Server to be secure connections ("https").
183 2. The UA terminates, without user recourse, any secure transport
184 connection attempts upon any and all secure transport errors or
185 warnings, including those caused by a site wielding self-signed
186 certificates.
188 3. UAs transform insecure URI references to a STS Server into secure
189 URI references before dereferencing them.
191 2.3. Threat Model
193 STS is concerned with three threat classes: passive network
194 attackers, active network attackers, and imperfect web developers.
195 However, it is explicitly not a remedy for two other classes of
196 threats: phishing and malware. Addressed and not addressed threats
197 are briefly discussed below. Readers may wish refer to [ForceHTTPS]
198 for details as well as relevant citations.
200 2.3.1. Threats Addressed
202 2.3.1.1. Passive Network Attackers
204 When a user browses the web on a wireless network, a nearby attacker
205 can eavesdrop on unencrypted connections, such as HTTP requests.
206 Such a passive network attacker can steal session identifiers and
207 hijack the user's session, by obtaining cookies containing
208 authentication credentials for example. Such passive eavesdropping
209 attacks are easily performed using wireless sniffing toolkits.
211 To mitigate this threat, some sites permit, but usually do not force,
212 access using secure transport -- e.g. by employing "https" URIs.
213 This can lead users to believe that accessing such services using
214 secure transport protects them from passive network attackers.
215 Unfortunately, this is often not the case in real-world deployments
216 as session identifiers are often stored in non-Secure cookies to
217 permit interoperability with versions of the service offered over
218 insecure transport. For example, if the session identifier for a web
219 site (an email service, say) is stored in a non-Secure cookie, it
220 permits an attacker to hijack the user's session if the user makes a
221 single insecure HTTP request to the site.
223 2.3.1.2. Active Network Attackers
225 A determined attacker can mount an active attack, either by
226 impersonating a user's DNS server or, in a wireless network, by
227 spoofing network frames or offering a similarly-named evil twin
228 access point. If the user is behind a wireless home router, an
229 attacker can attempt to reconfigure the router using default
230 passwords and other vulnerabilities. Some sites, such as banks, rely
231 on secure transport to protect themselves and their users from such
232 active attackers. Unfortunately, browsers allow their users to
233 easily opt-out of these protections in order to be usable for sites
234 that incorrectly deploy secure transport, for example by generating
235 and self-signing their own certificates (without also distributing
236 their CA certificate to their users' browsers).
238 2.3.1.3. Web Site Development and Deployment Bugs
240 The security of an otherwise uniformly secure site (i.e. all of its
241 content is materialized via "https" URIs), can be compromised
242 completely by an active attacker exploiting a simple mistake, such as
243 the loading of a cascading style sheet or a SWF movie over an
244 insecure connection (both cascading style sheets and SWF movies can
245 script the embedding page, to the surprise of many web developers --
246 most browsers do not issue mixed content warnings when insecure SWF
247 files are embedded). Even if the site's developers carefully
248 scrutinize their login page for mixed content, a single insecure
249 embedding anywhere on the site compromises the security of their
250 login page because an attacker can script (control) the login page by
251 injecting script into the page with mixed content.
253 Note: "Mixed content" here refers to the same notion referred to as
254 "mixed security context" later elsewhere in this
255 specification.
257 2.3.2. Threats Not Addressed
259 2.3.2.1. Phishing
261 Phishing attacks occur when an attacker solicits authentication
262 credentials from the user by hosting a fake site located on a
263 different domain than the real site, perhaps driving traffic to the
264 fake site by sending a link in an email message. Phishing attacks
265 can be very effective because users find it difficult to distinguish
266 the real site from a fake site. STS is not a defense against
267 phishing per se; rather, it complements many existing phishing
268 defenses by instructing the browser to protect session integrity and
269 long-lived authentication tokens [ForceHTTPS].
271 2.3.2.2. Malware and Browser Vulnerabilities
273 Because STS is implemented as a browser security mechanism, it relies
274 on the trustworthiness of the user's system to protect the session.
275 Malicious code executing on the user's system can compromise a
276 browser session, regardless of whether STS is used.
278 2.4. Requirements
280 This section identifies and enumerates various requirements derived
281 from the use cases and the threats discussed above, and lists the
282 detailed core requirements Strict Transport Security addresses, as
283 well as ancillary requirements that are not directly addressed.
285 2.4.1. Overall Requirement
287 o Minimize the risks to web browser users and web site deployers
288 that are derived from passive and active network attackers, web
289 site development and deployment bugs, as well as insecure user
290 actions.
292 2.4.1.1. Detailed Core Requirements
294 These core requirements are derived from the overall requirement, and
295 are addressed by this specification.
297 1. Web sites need to be able to declare to UAs that they should be
298 interacted with using a strict security policy.
300 2. Web sites need to be able to instruct UAs that contact them
301 insecurely to do so securely.
303 3. UAs need to note web sites that signal strict security policy
304 enablement, for a web site declared time span.
306 4. UAs need to re-write all insecure UA "http" URI loads to use the
307 "https" secure scheme for those web sites for which secure policy
308 is enabled.
310 5. Web site administrators need to be able to signal strict security
311 policy application to subdomains of higher-level domains for
312 which strict security policy is enabled, and UAs need to enforce
313 such policy.
315 6. For example, both example.com and foo.example.com could set
316 policy for bar.foo.example.com.
318 7. UAs need to disallow security policy application to peer domains,
319 and/or higher-level domains, by domains for which strict security
320 policy is enabled.
322 8. For example, neither bar.foo.example.com nor foo.example.com can
323 set policy for example.com, nor can bar.foo.example.com set
324 policy for foo.example.com. Also, foo.example.com cannot set
325 policy for sibling.example.com.
327 9. UAs need to prevent users from clicking-through security
328 warnings. Halting connection attempts in the face of secure
329 transport exceptions is acceptable.
331 Note: A means for uniformly securely meeting the first core
332 requirement above is not specifically addressed by this
333 specification (see Section 12.2 "Bootstrap MITM
334 Vulnerability"). It may be addressed by a future revision of
335 this specification or some other specification. Note also
336 that there are means by which UA implementations may more
337 fully meet the first core requirement, see Section 10 "UA
338 Implementation Advice".
340 2.4.1.2. Detailed Ancillary Requirements
342 These ancillary requirements are also derived from the overall
343 requirement. They are not normatively addressed in this
344 specification, but could be met by UA implementations at their
345 implementor's discretion, although meeting these requirements may be
346 complex.
348 1. Disallow "mixed security context" (also known as "mixed-content")
349 loads (see section 5.3 "Mixed Content" in
350 [W3C.WD-wsc-ui-20100309]).
352 2. Facilitate user declaration of web sites for which strict
353 security policy is enabled, regardless of whether the sites
354 signal STS Policy.
356 3. Conformance Criteria
358 This specification is written for servers and user agents (UAs).
360 As well as sections and appendices marked as non-normative, all
361 diagrams, examples, and notes in this specification are non-
362 normative. Everything else in this specification is normative.
364 In this specification, the words MUST, MUST NOT, MAY, and SHOULD are
365 to be interpreted as described in [RFC2119].
367 A conformant server is one that implements all the requirements
368 listed in this specification that are applicable to servers.
370 A conformant user agent is one that implements all the requirements
371 listed in this specification that are applicable to user agents.
373 3.1. Document Conventions
375 Note: ..is a note to the reader. These are points that should be
376 expressly kept in mind and/or considered.
378 Warning: This is how a warning is shown. These are things that can
379 have suboptimal downside risks if not heeded.
381 [[XXXn: Some of the more major known issues are marked like this
382 (where "n" in "XXXn" is a number). --JeffH]]
384 [[TODOn: Things to fix (where "n" in "TODOn" is a number). --JeffH]]
386 4. Terminology
388 Terminology is defined in this section.
390 ASCII case-insensitive comparison
391 means comparing two strings exactly, codepoint for
392 codepoint, except that the characters in the range
393 U+0041 .. U+005A (i.e. LATIN CAPITAL LETTER A to
394 LATIN CAPITAL LETTER Z) and the corresponding
395 characters in the range U+0061 .. U+007A (i.e.
396 LATIN SMALL LETTER A to LATIN SMALL LETTER Z) are
397 considered to also match. See [Unicode5] for
398 details.
400 codepoint is a colloquial contraction of Code Point, which is
401 any value in the Unicode codespace; that is, the
402 range of integers from 0 to 10FFFF(hex) [Unicode5].
404 Domain Name Domain Names, also referred to as DNS Names, are
405 defined in [RFC1035] to be represented outside of
406 the DNS protocol itself (and implementations
407 thereof) as a series of labels separated by dots,
408 e.g. "example.com" or "yet.another.example.org".
409 In the context of this specification, Domain Names
410 appear in that portion of a URI satisfying the reg-
411 name production in "Appendix A. Collected ABNF for
412 URI" in [RFC3986], and the host component from the
413 Host HTTP header field production in section 14.23
414 of [RFC2616].
416 Note: The Domain Names appearing in actual URI
417 instances and matching the aforementioned
418 production components may or may not be
419 FQDNs.
421 Domain Name Label is that portion of a Domain Name appearing "between
422 the dots", i.e. consider "foo.example.com": "foo",
423 "example", and "com" are all domain name labels.
425 Effective Request URI
426 is a URI that can be constructed by an HTTP server
427 for any given HTTP request sent to it. Some HTTP
428 requests do not contain a contiguous representation
429 of the URI identifying the resource being addressed
430 by the HTTP request. Rather, different portions of
431 a resource's URI may be mapped to both the Request-
432 Line header field and the Host header field in an
433 HTTP request message
435 [I-D.ietf-httpbis-p1-messaging]. The HTTP server
436 coalesces these URI fragments and constructs an
437 equivalent of the Request-URI that was used by the
438 UA to generate the received HTTP request message.
439 See Section 11 "Constructing an Effective Request
440 URI", below.
442 FQDN is an acronym for Fully-qualified Domain Name. A
443 FQDN is a Domain Name that includes all higher
444 level domains relevant to the named entity
445 (typically a STS Server in the context of this
446 specification). If one thinks of the DNS as a
447 tree-structure with each node having its own Domain
448 Name Label, a FQDN for a specific node would be its
449 label followed by the labels of all the other nodes
450 between it and the root of the tree. For example,
451 for a host, a FQDN would include the label that
452 identifies the particular host, plus all domains of
453 which the host is a part, up to and including the
454 top-level domain (the root domain is always null)
455 [RFC1594].
457 Known STS Server is a STS Server for which the UA has an STS Policy
458 in effect.
460 Local policy is comprised of policy rules deployers specify and
461 which are often manifested as "configuration
462 settings".
464 MITM is an acronym for man-in-the-middle. See "man-in-
465 the-middle attack" in [RFC4949].
467 Request URI is the URI used to cause a UA to issue an HTTP
468 request message.
470 Strict Transport Security
471 is the overall name for the combined UA- and
472 server-side security policy defined by this
473 specification.
475 Strict Transport Security Server
476 is a HTTP server implementing the server aspects of
477 the STS policy.
479 Strict Transport Security Policy
480 is the name of the combined overall UA- and server-
481 side facets of the behavior specified by this
482 specification.
484 STS See Strict Transport Security.
486 STS Policy See Strict Transport Security Policy.
488 STS Server See Strict Transport Security Server.
490 UA is a an acronym for user agent. For the purposes
491 of this specification, a UA is an HTTP client
492 application typically actively manipulated by a
493 user [RFC2616] .
495 5. Syntax
497 This section defines the syntax of the new header this specification
498 introduces. It also provides a short description of the function the
499 header.
501 The Section 6 "Server Processing Model" section details how servers
502 are to use this header. Likewise, the Section 7 "User Agent
503 Processing Model" section details how user agents are to use this
504 header.
506 5.1. Strict-Transport-Security HTTP Response Header Field
508 The Strict-Transport-Security HTTP response header field indicates to
509 a UA that it MUST enforce the STS Policy in regards to the server
510 emitting the response message containing this header field.
512 The ABNF syntax for the Strict-Transport-Security HTTP Response
513 Header field is:
515 Strict-Transport-Security =
517 "Strict-Transport-Security" ":" OWS STS-v OWS
519 ; STS value
520 STS-v = STS-d
521 / STS-d *( OWS ";" OWS STS-d OWS)
523 ; STS directive
524 STS-d = STS-d-cur / STS-d-ext
526 ; defined STS directives
527 STS-d-cur = maxAge / includeSubDomains
529 maxAge = "max-age" "=" delta-seconds v-ext
531 includeSubDomains = [ "includeSubDomains" ] v-ext
533 ; extension points
534 STS-d-ext = name ; STS extension directive
536 v-ext = value ; STS extension value
538 name = token
540 value = OWS / %x21-3A / %x3C-7E ; i.e. optional white space, or
541 ; [ ! .. : ] [ < .. ~ ] any visible chars other than ";"
543 ; productions imported from [ID.ietf-httpbis-p1-messaging]:
545 token
547 OWS ; Optional White Space
549 Note: [I-D.ietf-httpbis-p1-messaging] is used as the ABNF basis in
550 order to ensure that the new header has equivalent parsing
551 rules to the header fields defined in that same specification.
552 Also:
554 1. Quoted-string literals in the above ABNF stanza are
555 case-insensitive.
557 2. In order to correctly match the grammar above, the
558 Strict-Transport-Security HTTP Response Header MUST
559 include at least a max-age directive with at least a
560 single-digit value for delta-seconds.
562 max-age specifies the number of seconds, after the recption of the
563 Strict-Transport-Security HTTP Response Header, during which
564 the UA regards the host the message was received from as a
565 Known STS Server (see also Section 7.1.1 "Noting a STS
566 Server", below). The delta-seconds production is specified
567 in [RFC2616].
569 [[TODO1: The above para wrt max-age may need further refinement.
570 --JeffH]]
572 includeSubDomains is a flag which, if present, signals to the UA that
573 the STS Policy applies to this STS Server as well
574 as any subdomains of the server's FQDN.
576 6. Server Processing Model
578 This section describes the processing model that STS Servers
579 implement. The model is comprised of two facets: the first being the
580 processing rules for HTTP request messages received over a secure
581 transport (e.g. TLS [RFC4346], SSL [I-D.ietf-tls-ssl-version3], or
582 perhaps others, the second being the processing rules for HTTP
583 request messages received over non-secure transports, i.e. over
584 TCP/IP [RFC0793].
586 6.1. HTTP-over-Secure-Transport Request Type
588 When replying to an HTTP request that was conveyed over a secure
589 transport, a STS Server SHOULD include in its response message a
590 Strict-Transport-Security HTTP Response Header that MUST satisfy the
591 grammar specified above in Section 5.1 "Strict-Transport-Security
592 HTTP Response Header Field". If a Strict-Transport-Sec HTTP Response
593 Header is included, the STS Server MUST include only one such header.
595 Note: Including the Strict-Transport-Sec HTTP Response Header is
596 stipulated as a "SHOULD" in order to accomodate various
597 server- and network-side caches and load-balancing
598 configurations where it may be difficult to uniformly emit
599 Strict-Transport-Security HTTP Response Headers on behalf of a
600 given STS Server.
602 In order to establish a given host as a Known STS Server in the
603 context of a given UA, the host must correctly return, per this
604 specification, at least one valid Strict-Transport-Security HTTP
605 Response Header to the UA.
607 6.2. HTTP Request Type
609 If a STS Server receives a HTTP request message over a non-secure
610 transport, it SHOULD send a HTTP response message containing a
611 Status-Code of 301 and a Location header field value containing
612 either the HTTP request's original Effective Request URI (see
613 Section 11 Constructing an Effective Request URI, below) altered as
614 necessary to have a URI scheme of "https", or a URI generated
615 according to local policy (which SHOULD employ a URI scheme of
616 "https").
618 A STS Server MUST NOT include the Strict-Transport-Security HTTP
619 Response Header in HTTP responses conveyed over a non-secure
620 transport.
622 7. User Agent Processing Model
624 This section describes the Strict Transport Security processing model
625 for UAs. There are several facets to the model, enumerated by the
626 following subsections.
628 Also, this processing model assumes that all Domain Names manipulated
629 in this specification's context are already in ASCII Compatible
630 Encoding (ACE) format as specified in [RFC3490]. If this is not the
631 case in some situation, use the operation given in Section 8 "Domain
632 Name ToASCII Conversion Operation" to convert any encountered
633 internationalized Domain Names to ACE format before processing them.
635 7.1. Strict-Transport-Security Response Header Field Processing
637 If an HTTP response, received over a secure transport, includes a
638 Strict-Transport-Security HTTP Response Header field, conforming to
639 the grammar specified in Section 5.1 "Strict-Transport-Security HTTP
640 Response Header Field" (above), and there are no underlying secure
641 transport errors or warnings, the UA MUST either:
643 o Note the server as a Known STS Server if it is not already so
644 noted (see Section 7.1.1 "Noting a STS Server", below),
646 or,
648 o Update its cached information for the Known STS Server if the max-
649 age and/or includeSubDomains header field value tokens are
650 conveying information different than that already maintained by
651 the UA.
653 Note: The max-age value is essentially a "time to live" value
654 relative to the reception time of the Strict-Transport-
655 Security HTTP Response Header.
657 [[TODO2: Decide UA behavior in face of encountering multiple STS
658 headers in a message. Use first header? Last? --=JeffH]]
660 Otherwise:
662 o If an HTTP response is received over insecure transport, the UA
663 MUST ignore any present Strict-Transport-Security HTTP Response
664 Header(s).
666 o The UA MUST ignore any Strict-Transport-Security HTTP Response
667 Headers not conforming to the grammar specified in Section 5.1
668 "Strict-Transport-Security HTTP Response Header Field" (above).
670 7.1.1. Noting a STS Server
672 If the substring matching the host production from the Request-URI,
673 that the server responded to, syntactically matches the IP-literal or
674 IPv4address productions from section 3.2.2 of [RFC3986], then the UA
675 MUST NOT note this server as a Known STS Server.
677 Otherwise, if the substring does not congruently match a presently
678 known STS Server, per the matching procedure specified in
679 Section 7.1.2 "Known STS Server Domain Name Matching" below, then the
680 UA MUST note this server as a Known STS Server, caching the STS
681 Server's Domain Name and noting along with it the expiry time of this
682 information, as effectively stipulated per the given max-age value,
683 as well as whether the includeSubDomains flag is asserted or not.
685 7.1.2. Known STS Server Domain Name Matching
687 A UA determines whether a Domain Name represents a Known STS Server
688 by looking for a match between the query Domain Name and the UA's set
689 of Known STS Servers.
691 1. Compare the query Domain Name string with the Domain Names of the
692 UA's set of Known STS Servers. For each Known STS Server's
693 Domain Name, the comparison is done with the query Domain Name
694 label-by-label using an ASCII case-insensitive comparison
695 beginning with the rightmost label, and continuing right-to-left,
696 and ignoring separator characters (see clause 3.1(4) of
697 [RFC3986].
699 * If a label-for-label match between an entire Known STS
700 Server's Domain Name and a right-hand portion of the query
701 Domain Name is found, then the Known STS Server's Domain Name
702 is a superdomain match for the query Domain Name.
704 For example:
706 Query Domain Name: bar.foo.example.com
708 Superdomain matched
709 Known STS Server DN: foo.example.com
711 At this point, the query Domain Name is ascertained to
712 effectively represent a Known STS Server. There may also be
713 additional matches further down the Domain Name Label tree, up
714 to and including a congruent match.
716 * If a label-for-label match between a Known STS Server's Domain
717 Name and the query domain name is found, i.e. there are no
718 further labels to compare, then the query Domain Name
719 congruently matches this Known STS Server.
721 For example:
723 Query Domain Name: foo.example.com
725 Congruently matched
726 Known STS Server DN: foo.example.com
728 The query Domain Name is ascertained to represent a Known STS
729 Server. However, if there are also superdomain matches, the
730 one highest in the tree asserts the STS Policy for this Known
731 STS Server.
733 * Otherwise, if no matches are found, the query Domain Name does
734 not represent a Known STS Server.
736 7.2. URI Loading
738 Whenever the UA prepares to "load", also known as "dereference", any
739 URI where the host production of the URI [RFC3986] matches that of a
740 Known STS Server -- either as a congruent match or as a superdomain
741 match where the superdomain Known STS Server has includeSubDomains
742 asserted -- and the URI's scheme is "http", then replace the URI
743 scheme with "https" before proceeding with the load.
745 7.3. Errors in Secure Transport Establishment
747 When connecting to a Known STS Server, the UA MUST terminate the
748 connection with no user recourse if there are any errors (e.g.
749 certificate errors), whether "warning" or "fatal" or any other error
750 level, with the underlying secure transport.
752 7.4. HTTP-Equiv Element Attribute
754 UAs MUST NOT heed http-equiv="Strict-Transport-Security" attribute
755 settings on elements in received content.
757 8. Domain Name ToASCII Conversion Operation
759 This operation converts a string-serialized Domain Name possibly
760 containing arbitrary Unicode characters [Unicode5] into a string-
761 serialized Domain Name in ASCII Compatible Encoding (ACE) format as
762 specified in [RFC3490].
764 The operation is:
766 o Apply the IDNA conversion operation (section 4 of [RFC3490]) to
767 the string, selecting the ToASCII operation and setting both the
768 AllowUnassigned and UseSTD3ASCIIRules flags.
770 9. Server Implementation Advice
772 STS Policy expiration time considerations:
774 o Server implementations and deploying web sites need to consider
775 whether they are setting an expiry time that is a constant value
776 into the future, e.g. by constantly sending the same max-age value
777 to UAs. Or, whether they are setting an expiry time that is a
778 fixed point in time, e.g. by sending max-age values that represent
779 the remaining time until the expiry time.
781 o A consideration here is whether a deployer wishes to have signaled
782 STS Policy expiry time match that for the web site's domain
783 certificate.
785 Considerations for using Strict Transport Security in conjunction
786 with self-signed public-key certificates:
788 o If a web site/organization/enterprise is generating their own
789 secure transport public-key certificates for web sites, and that
790 organization's root certificate authority (CA) certificate is not
791 typically embedded by default in browser CA certificate stores,
792 and if STS Policy is enabled on a site wielding that
793 organization's certificates, then secure connections to that site
794 will fail without user recourse, per the STS design. This is to
795 protect against various active attacks, as discussed above.
797 o However, if said organization strongly wishes to employ self-
798 signed certificates, and their own CA in concert with STS, they
799 can do so by deploying their root CA certificate to their users'
800 browsers. There are various ways in which this can be
801 accomplished (details are out of scope for this specification).
802 Once their root CA cert is installed in the browsers, they may
803 employ STS Policy on their site(s).
805 Note: Interactively distributing root CA certs to users, e.g. via
806 email, and having the users install them, is arguably
807 training the users to be susceptible to a possible form of
808 phishing attack, see Section 12.4 "Bogus Root CA
809 Certificate Phish plus DNS Cache Poisoning Attack".
811 10. UA Implementation Advice
813 Notes for STS Server implementors:
815 o A simplistic approach to enabling STS policy for one's web site is
816 to configure one's web server to return a Strict-Transport-
817 Security HTTP Response Header with a constant max-age value. For
818 exmple:
820 Strict-Transport-Security: max-age=778000
822 A max-age value of 778000 is 90 days. Note that each receipt of
823 this header by a UA will require the UA to update its notion of
824 when it must delete its knowledge of this Known STS Server. The
825 specifics of how this is accomplished is out of the scope of this
826 specification.
828 In order to provide users and web sites more effective protection, UA
829 implementors should consider including features such as:
831 o Disallowing "mixed security context" (also known as "mixed-
832 content") loads (see section 5.3 "Mixed Content" in
833 [W3C.WD-wsc-ui-20100309]).
835 Note: In order to provide behavioral uniformity across UA
836 implementations, the notion of mixed security context aka
837 mixed-content will require (further) standardization work,
838 e.g. to more clearly define the term(s) and to define
839 specific behaviors with respect to it.
841 In order to provide users effective controls for managing their UA's
842 caching of STS Policy, UA implementors should consider including
843 features such as:
845 o Ability to delete UA's cached STS Policy on a per STS Server
846 basis.
848 In order to provide users and web sites more complete protection, UAs
849 could offer advanced features such as these:
851 o Ability for users to explicitly declare a given Domain Name as
852 representing a STS Server, thus seeding it as a Known STS Server
853 before any actual interaction with it. This would help protect
854 against the Section 12.2 "Bootstrap MITM Vulnerability".
856 Note: Such a feature is difficult to get right on a per-site
857 basis -- see the discussion of "rewrite rules" in section
858 5.5 of [ForceHTTPS]. For example, arbitrary web sites may
859 not materialize all their URIs using the "https" scheme,
860 and thus could "break" if a UA were to attempt to access
861 the site exclusively using such URIs. Also note that this
862 feature would complement, but is independent of the
863 following described facility.
865 o Facility whereby web site administrators can have UAs pre-
866 configured with STS Policy for their site(s) by the UA vendor(s)
867 -- in a manner similar to how root CA certificates are embedded in
868 browsers "at the factory". This would help protect against the
869 Section 12.2 "Bootstrap MITM Vulnerability".
871 Note: Such a facility complements the preceding described
872 feature.
874 [[XXX2: These latter items beg the question of having some means of
875 secure web site metadata and policy discovery and acquisition. There
876 is extant work that may be of interest, e.g. the W3C POWDER work,
877 OASIS XRI/XRD work (as well as XRDS-Simple), and "Link-based Resource
878 Descriptor Discovery" (draft-hammer-discovery). --JeffH]]
880 11. Constructing an Effective Request URI
882 This section specifies how an STS Server must construct the Effective
883 Request URI for a received HTTP request.
885 The first line of an HTTP request message is specified by the
886 following ABNF ([I-D.ietf-httpbis-p1-messaging] section 4.1):
888 Request-Line = Method SP request-target SP HTTP-Version CRLF
890 The request-target is following ABNF ([I-D.ietf-httpbis-p1-messaging]
891 section 4.1.2):
893 request-target = "*"
894 / absolute-URI
895 / ( path-absolute [ "?" query ] )
896 / authority
898 Additionally, many HTTP requests contain an additional Host request
899 header field. It is specified by the following ABNF
900 ([I-D.ietf-httpbis-p1-messaging] section 4.1.2):
902 Host = "Host:" OWS Host-v
903 Host-v = uri-host [ ":" port ]
905 Thus an example HTTP message containing the above header fields is:
907 GET /hello.txt HTTP/1.1
908 Host: www.example.com
910 Another example is:
912 GET HTTP://www.example.com/hello.txt HTTP/1.1
914 An STS Server constructs the Effective Request URI using the
915 following ABNF grammar (which imports some productions from the above
916 ABNF for Request-Line, request-target, and Host:
918 Effective-Request-URI = absolute-URI-present / path-absolute-form
920 absolute-URI-present = absolute-URI
922 path-absolute-form = scheme "://" Host-v path-absolute [ "?" query ]
924 where:
926 scheme is "http" if the request was received over
927 insecure transport, or scheme is "https" if the
928 request was received over secure transport.
930 For example, if the request message contains a request-target
931 component that matches the grammar of absolute-URI, then the
932 Effective-Request-URI is simply the value of the absolute-URI
933 component. Otherwise, the Effective-Request-URI is a combination,
934 per the path-absolute-form production, of the Host-v, path-absolute,
935 and query components from the request-target and Host components of
936 the request message.
938 [[TODO3: This is a first SWAG at this section. Fix/add prose as
939 appropriate, fix ABNF as needed per review. --JeffH]]
941 12. Security Considerations
943 12.1. Denial of Service (DoS)
945 STS could be used to mount certain forms of DoS attacks, where
946 attackers set fake STS headers on legitimate sites available only
947 insecurely (e.g. social network service sites, wikis, etc.).
949 12.2. Bootstrap MITM Vulnerability
951 The bootstrap MITM (Man-In-The-Middle) vulnerability is a
952 vulnerability users and STS Servers encounter in the situation where
953 the user manually enters, or follows a link, to a STS Server using a
954 "http" URI rather than a "https" URI. Because the UA uses an
955 insecure channel in the initial attempt to interact with the
956 specified serve, such an initial interaction is vulnerable to various
957 attacks [ForceHTTPS] .
959 Note: There are various features/facilities that UA implementations
960 may employ in order to mitigate this vulnerability. Please
961 see Section 10 UA Implementation Advice.
963 12.3. Network Time Attacks
965 Active network attacks can subvert network time protocols (like NTP)
966 - making this header less effective against clients that trust NTP
967 and/or lack a real time clock. Network time attacks are therefore
968 beyond the scope of the defense. Note that modern operating systems
969 use NTP by default.
971 12.4. Bogus Root CA Certificate Phish plus DNS Cache Poisoning Attack
973 If an attacker can convince users of, say, https://bank.example.com
974 (which is protected by STS Policy), to install their own version of a
975 root CA certificate purporting to be bank.example.com's CA, e.g. via
976 a phishing email message with a link to such a certificate -- then,
977 if they can perform an attack on the users' DNS, e.g. via cache
978 poisoning, and turn on STS Policy for their fake bank.example.com
979 site, then they have themselves some new users.
981 13. IANA Considerations
983 Below is the Internet Assigned Numbers Authority (IANA) Provisional
984 Message Header Field registration information per [RFC3864].
986 Header field name: Strict-Transport-Security
987 Applicable protocol: HTTP
988 Status: provisional
989 Author/Change controller: TBD
990 Specification document(s): this one
992 14. Design Decision Notes
994 This appendix documents various design decisions.
996 1. Cookies aren't appropriate for STS Policy expression as they are
997 potentially mutable (while stored in the UA), therefore an HTTP
998 header field is employed.
1000 2. We chose to not attempt to specify how "mixed security context
1001 loads" (aka "mixed-content loads") are handled due to UA
1002 implementation considerations as well as classification
1003 difficulties.
1005 3. A STS Server may update UA notions of STS Policy via new STS
1006 header field values. We chose to have UAs honor the "freshest"
1007 information received from a server because there is the chance of
1008 a web site sending out an errornous STS Policy, such as a multi-
1009 year max-age value, and/or an incorrect includeSubDomains flag.
1010 If the STS Server couldn't correct such errors over protocol, it
1011 would require some form of annunciation to users and manual
1012 intervention on their part, which could be a non-trivial problem.
1014 4. STS Servers are identified only via Domain Names -- explicit IP
1015 address identification of all forms is excluded. This is for
1016 simplification and also is in recognition of various issues with
1017 using direct IP address identification in concert with PKI-based
1018 security.
1020 15. References
1022 15.1. Normative References
1024 [I-D.ietf-httpbis-p1-messaging]
1025 Fielding, R., Gettys, J., Mogul, J., Nielsen, H.,
1026 Masinter, L., Leach, P., Berners-Lee, T., and J. Reschke,
1027 "HTTP/1.1, part 1: URIs, Connections, and Message
1028 Parsing", draft-ietf-httpbis-p1-messaging-09 (work in
1029 progress), March 2010.
1031 [RFC1035] Mockapetris, P., "Domain names - implementation and
1032 specification", STD 13, RFC 1035, November 1987.
1034 [RFC1594] Marine, A., Reynolds, J., and G. Malkin, "FYI on Questions
1035 and Answers - Answers to Commonly asked "New Internet
1036 User" Questions", RFC 1594, March 1994.
1038 [RFC1983] Malkin, G., "Internet Users' Glossary", RFC 1983,
1039 August 1996.
1041 [RFC2109] Kristol, D. and L. Montulli, "HTTP State Management
1042 Mechanism", RFC 2109, February 1997.
1044 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
1045 Requirement Levels", BCP 14, RFC 2119, March 1997.
1047 [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H.,
1048 Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext
1049 Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999.
1051 [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000.
1053 [RFC2965] Kristol, D. and L. Montulli, "HTTP State Management
1054 Mechanism", RFC 2965, October 2000.
1056 [RFC3454] Hoffman, P. and M. Blanchet, "Preparation of
1057 Internationalized Strings ("stringprep")", RFC 3454,
1058 December 2002.
1060 [RFC3490] Faltstrom, P., Hoffman, P., and A. Costello,
1061 "Internationalizing Domain Names in Applications (IDNA)",
1062 RFC 3490, March 2003.
1064 [RFC3492] Costello, A., "Punycode: A Bootstring encoding of Unicode
1065 for Internationalized Domain Names in Applications
1066 (IDNA)", RFC 3492, March 2003.
1068 [RFC3864] Klyne, G., Nottingham, M., and J. Mogul, "Registration
1069 Procedures for Message Header Fields", BCP 90, RFC 3864,
1070 September 2004.
1072 [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
1073 Resource Identifier (URI): Generic Syntax", STD 66,
1074 RFC 3986, January 2005.
1076 [RFC4346] Dierks, T. and E. Rescorla, "The Transport Layer Security
1077 (TLS) Protocol Version 1.1", RFC 4346, April 2006.
1079 [RFC4949] Shirey, R., "Internet Security Glossary, Version 2",
1080 RFC 4949, August 2007.
1082 [Unicode5]
1083 The Unicode Consortium, "The Unicode Standard, Version
1084 5.0", Boston, MA, Addison-Wesley ISBN 0-321-48091-0, 2007.
1086 [W3C.WD-html5-20100304]
1087 Hyatt, D. and I. Hickson, "HTML5", World Wide Web
1088 Consortium WD WD-html5-20100304, March 2010,
1089 .
1091 15.2. Informative References
1093 [ForceHTTPS]
1094 Jackson, C. and A. Barth, "ForceHTTPS: Protecting High-
1095 Security Web Sites from Network Attacks", In Proceedings
1096 of the 17th International World Wide Web Conference
1097 (WWW2008) , 2008,
1098 .
1100 [GoodDhamijaEtAl05]
1101 Good, N., Dhamija, R., Grossklags, J., Thaw, D.,
1102 Aronowitz, S., Mulligan, D., and J. Konstan, "Stopping
1103 Spyware at the Gate: A User Study of Privacy, Notice and
1104 Spyware", In Proceedings of Symposium On Usable Privacy
1105 and Security (SOUPS) Pittsburgh, PA, USA, July 2005, .
1109 [HASMAT] "HASMAT -- HTTP Application Security Minus Authentication
1110 and Transport",
1111 .
1113 [I-D.ietf-tls-ssl-version3]
1114 Freier, A., Karlton, P., and P. Kocher, "The SSL Protocol
1115 Version 3.0", draft-ietf-tls-ssl-version3 (work in
1116 progress), November 1996, .
1119 [RFC0793] Postel, J., "Transmission Control Protocol", STD 7,
1120 RFC 793, September 1981.
1122 [RFC2396] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
1123 Resource Identifiers (URI): Generic Syntax", RFC 2396,
1124 August 1998.
1126 [SunshineEgelmanEtAl09]
1127 Sunshine, J., Egelman, S., Almuhimedi, H., Atri, N., and
1128 L. Cranor, "Crying Wolf: An Empirical Study of SSL Warning
1129 Effectiveness", In Proceedings of 18th USENIX Security
1130 Symposium Montreal, Canada, Augus 2009, .
1134 [W3C.WD-wsc-ui-20100309]
1135 Saldhana, A. and T. Roessler, "Web Security Context: User
1136 Interface Guidelines", World Wide Web Consortium
1137 LastCall WD-wsc-ui-20100309, March 2010,
1138 .
1140 Appendix A. Acknowledgments
1142 This appendix is non-normative.
1144 The authors thank Michael Barrett, Sid Stamm, Maciej Stachowiak, Andy
1145 Steingrubl, Brandon Sterne, Daniel Veditz for their review and
1146 contributions.
1148 Authors' Addresses
1150 Jeff Hodges
1151 PayPal
1153 Email: Jeff.Hodges@PayPal.com
1154 Collin Jackson
1155 Carnegie Mellon University
1157 Email: collin.jackson@sv.cmu.edu
1159 Adam Barth
1160 University of California Berkeley
1162 Email: abarth@eecs.berkeley.edu