On Tue, Aug 21, 2012 at 1:38 PM, Brian Smith <[email protected]> wrote: >> Adam Barth wrote: >> >Brian Smith wrote: >> >> 2. The owners of example.com decides to turn of HSTS for whatever >> >> reason (perhaps the domain changed owners, or there's a >> >> compatibility issue, or whatever), so they start sending out HSTS >> >> with max-age=0 for example.com and for all the subdomains. > >> > That's not a correct way of disabling HSTS after (1). Instead, >> > they need only send out an max-age=0 header for example.com itself. > > [...] > >> > They can simply initiate a request to https://example.com/ (e.g., >> > by using an HTTP redirect or an HTML image element) and clear the >> > HSTS state for that host name. > > I understand what you're saying and it makes sense. And, I agree that in a > web browser that is a pretty reasonable way to handle some emergency where > you have to turn off HSTS for some reason, though I think it would be quite > tricky to do so in a way that is reliable. > > Another thing to keep in mind is that, in order to turn off HSTS, the site > must comply with the browser's requirements for HSTS sites anyway; otherwise > the browser will ignore your HSTS header and avoid doing the redirect or > avoid loading the page with the img tag in it. > > FWIW, in Firefox we are also going to honor max-age=0 as a mechanism to > disable the entries in our pre-loaded HSTS list that will ship in the browser.
How long do you plan to cache the disable? Adam _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
