Adam Barth wrote..
>
> On Tue, Aug 21, 2012 at 1:38 PM, Brian Smith <[email protected]> wrote:
>>> Adam Barth wrote:
>>>> Brian Smith wrote:
>>>>> 2. The owners of example.com decides to turn of HSTS for whatever
>>>>> reason (perhaps the domain changed owners, or there's a compatibility
>>>>> issue, or whatever), so they start sending out HSTS with max-age=0
>>>>> for example.com and for all the subdomains.
>>
>>>> That's not a correct way of disabling HSTS after (1). Instead, they
>>>> need only send out an max-age=0 header for example.com itself.
>>
>> [...]
>>
>>>> They can simply initiate a request to https://example.com/ (e.g., by
>>>> using an HTTP redirect or an HTML image element) and clear the HSTS
>>>> state for that host name.
>>
>> I understand what you're saying and it makes sense. And, I agree that in a
>> web browser that is a pretty reasonable way to handle some emergency where
>> you have to turn off HSTS for some reason, though I think it would be quite
>> tricky to do so in a way that is reliable.
>>
>> Another thing to keep in mind is that, in order to turn off HSTS, the site
>> must comply with the browser's requirements for HSTS sites anyway;
>> otherwise the browser will ignore your HSTS header and avoid doing the
>> redirect or avoid loading the page with the img tag in it.
I guess I'm curious what you mean by "browser's requirements for HSTS sites" and
why it might avoid performing a redirect ?
>> FWIW, in Firefox we are also going to honor max-age=0 as a mechanism to
>> disable the entries in our pre-loaded HSTS list that will ship in the
>> browser.
>
> How long do you plan to cache the disable?
And can the site then turn around and issue HSTS Policy with a non-zero max-age
to reinstate the policy?
=JeffH
_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec
