I recently read the slides "Bypassing HTTP Strict Transport Security" by Jose Selvi.[1] It seems to me that one way to address NTP spoofing attack on HSTS is to allow sites to specify HSTS policies that never expire (i.e. infinite max-age), so that the enforcement of HSTS does not depend on the system time. So I want to propose a update to RFC 6797 to define a new directive called "infinite" (or something else). When a UA sees this directive, max-age should be ignored and HSTS should always be enforced until users clear the cache or the server sends a valid STS header without "infinite" directive. The new header field will look like: Strict-Transport-Security: max-age=31536000; infinite Of course, many websites will be unwilling to set infinite max-age, so this attack is not completely addressed. However, I think this new directive should help a lot, because some websites, especially those that need to send and receive sensitive information, such as online banking, are very unlikely to revert to HTTP in the future. Also, a very long max-age, such as 20 years used by Twitter, is effectively infinite, but long max-age is subject to the NTP attack, while an explicit "infinite" is not. Any comments on this? Thanks! Best, Xiaoyin [1] https://www.blackhat.com/docs/eu-14/materials/eu-14-Selvi-Bypassing-HTTP-Strict-Transport-Security-wp.pdf
_______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
