RFC Errata
RFC 6797, "HTTP Strict Transport Security (HSTS)", November 2012
Source of RFC: websec (app)
Errata ID: 4075
Status: Rejected
Type: Technical
Publication Format(s) : TEXT
Reported By: Eric Lawrence
Date Reported: 2014-08-08
Rejected by: Barry Leiba
Date Rejected: 2014-08-11
Section 14 says:
Without the "includeSubDomains" directive, HSTS is unable to protect such Secure-flagged domain cookies.
It should say:
Without the "includeSubDomains" directive, HSTS is unable to protect
such Secure-flagged domain cookies.
Even with the "includeSubDomains" directive, the unavailability of
an "includeParent" directive means that an Active MITM attacker can
perform a cookie-injection attack against an otherwise
HSTS-protected victim domain.
Consider the following scenario:
The user visits https://sub.example.com and gets a HSTS policy with
includeSubdomains set. All subsequent navigations to
sub.example.com and its subdomains will be secure.
An attacker causes the victim's browser to navigate to
http://example.com. Because the HSTS policy applies only to
sub.example.com and its superdomain matches, this insecure
navigation is not blocked by the user agent.
The attacker intercepts this insecure request and returns a
response that sets a cookie on the entire domain tree using a
Set-Cookie header.
All subsequent requests to sub.example.com carry the injected
cookie, despite the use of HSTS.
Notes:
To mitigate this attack, HSTS-protected websites should perform a background fetch of a resource at the first-level domain. This resource should carry a HSTS header that will apply to the entire domain and all subdomains.
--VERIFIER NOTES--
This is a valid issue, but not suitable for the errata system. The websec working group is discussing handling this with a short document to update RFC 6797.