#5: Clarify need for IncludeSubDomains Yes, this is an unfortunate consequence of the way cookies work. Suppose you wanted to protect the confidentiality of a Secure cookie (i.e., a cookie with the Secure flag set), which, actually, is the primary use case for the header. Further suppose that this cookie is a domain cookie (e.g., set for the entire example.com domain). Now, if the attacker causes the browser to request https://aiodsfnuiasnis.example.com/, then:
1) We're unlikely to have the HSTS policy bit for aiodsfnuiasnis.example.com. 2) The request for https://aiodsfnuiasnis.example.com will include the Secure cookie. If the attacker then substitutes his certificate, the user will be able to click through the certificate error, which lets the attacker obtain the cookie we're trying to protect. If we remove the "includeSubDomains" directive, that means sites can't use HSTS to protect domain cookies. -- -------------------------------------------+-------------------------------- Reporter: jeff.hodges@… | Owner: =JeffH Type: defect | Status: new Priority: major | Milestone: Component: strict-transport-sec | Version: Severity: - | Keywords: -------------------------------------------+-------------------------------- Ticket URL: <http://trac.tools.ietf.org/wg/websec/trac/ticket/5> websec <http://tools.ietf.org/websec/> _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
