Hi Jeff, thanks for sharing. Good paper and interesting read.
Even though things are slowly picking up in adoption, a bit disappointing it's been only 277 out of 100000 sites in Oct 2013. (on a personal note: this is consistent with my personal anecdotal experience: as part of overall secure development training, I also mention HSTS to developers a couple of times per year, and so far nearly none of them used it before...) Best regards, Tobias Ps.: and as Lucas wrote, he initially prepared the document as a conference paper. In case he is interested, this might be an interesting submission for an AppSec conference in 2015 (the 2014 ones are unfortunately already finished or past CFP). (e.g. AppSecUS or AppSecEU) On 10/08/14 06:53, =JeffH wrote: > Here's an interesting & relevant draft paper by Lucas Garron (and > Andrew Bortz & Dan Boneh).. > > The State of HSTS Deployment: A Survey and Common Pitfalls > https://garron.net/crypto/hsts/hsts-2013.pdf > > Note that "S 8.5 Securing https://example.com from a subdomain" is > essentially the issue that Eric Lawrence recently filed against > RFC6797 HSTS. > > The paper is worth a read, and the scan code is here.. > > https://github.com/lgarron/HSTS/tree/scan > > ..see also the discussion in this thread on <[email protected]>.. > > State of HSTS in on the Web (2013) > > https://groups.google.com/a/chromium.org/forum/#!topic/security-dev/Ibdf-x_uqEs > > > > HTH, > > =JeffH > > _______________________________________________ > websec mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/websec _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
