RFC 6797, "HTTP Strict Transport Security (HSTS)", November 2012Source of RFC: websec (app)
Errata ID: 4075
Publication Format(s) : TEXT
Reported By: Eric Lawrence
Date Reported: 2014-08-08
Rejected by: Barry Leiba
Date Rejected: 2014-08-11
Section 14 says:
Without the "includeSubDomains" directive, HSTS is unable to protect such Secure-flagged domain cookies.
It should say:
Without the "includeSubDomains" directive, HSTS is unable to protect such Secure-flagged domain cookies. Even with the "includeSubDomains" directive, the unavailability of an "includeParent" directive means that an Active MITM attacker can perform a cookie-injection attack against an otherwise HSTS-protected victim domain. Consider the following scenario: The user visits https://sub.example.com and gets a HSTS policy with includeSubdomains set. All subsequent navigations to sub.example.com and its subdomains will be secure. An attacker causes the victim's browser to navigate to http://example.com. Because the HSTS policy applies only to sub.example.com and its superdomain matches, this insecure navigation is not blocked by the user agent. The attacker intercepts this insecure request and returns a response that sets a cookie on the entire domain tree using a Set-Cookie header. All subsequent requests to sub.example.com carry the injected cookie, despite the use of HSTS.
To mitigate this attack, HSTS-protected websites should perform a background fetch of a resource at the first-level domain. This resource should carry a HSTS header that will apply to the entire domain and all subdomains.
This is a valid issue, but not suitable for the errata system. The websec working group is discussing handling this with a short document to update RFC 6797.