> Specifically, it is the use of a 301 as specified in Section
> 7.2. If a UA requests initially visits a site like www.paypal.com, it would
> not know if the host is an HSTS host or not. Use of 301 is not secure and
> the user agent could be maliciously redirected to someplace other than a
> site owned by PayPal, for example.
Yes, this is well-understood and (prominently) noted in the security
considerations...
###
14.6. Bootstrap MITM Vulnerability
The bootstrap MITM (Man-In-The-Middle) vulnerability is a
vulnerability users and HSTS Hosts encounter in the situation where
the user manually enters, or follows a link, to an unknown HSTS Host
using a "http" URI rather than a "https" URI. Because the UA uses an
insecure channel in the initial attempt to interact with the
specified server, such an initial interaction is vulnerable to
various attacks (see Section 5.3 of [ForceHTTPS]).
NOTE: There are various features/facilities that UA implementations
may employ in order to mitigate this vulnerability. Please
see Section 12 "User Agent Implementation Advice".
###
Plus, this spec is now a done deal.
However, the notion of devising some means for declaring general (web) host
security policy and capabilities is one that's been discussed in various
contexts (it's the question you're begging in your msg, IMV) -- and, yes, that's
something to (now) put more cycles into thinking about.
=JeffH
_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec
