RFC Errata


Errata Search

 
Source of RFC  
Summary Table Full Records

Found 2 records.

Status: Reported (1)

RFC 6797, "HTTP Strict Transport Security (HSTS)", November 2012

Source of RFC: websec (app)

Errata ID: 5204

Status: Reported
Type: Technical

Reported By: Nick Dilßner
Date Reported: 2017-12-13

Section 6.1.2 says:

includeSubDomains

It should say:

include-sub-domains

or

includesubdomains

Notes:

- In Section 6.1 the Strict-Transport-Security is defined as follows:

Strict-Transport-Security = "Strict-Transport-Security" ":" [ directive ] *( ";" [ directive ] )

- valueless Directive "includeSubDomains" is defined as a optional directive
- a directive is definied as followed:

directive = directive-name [ "=" directive-value ]

- so "includeSubDomains" is only a directive-name which is defined as "token"
- according to "[RFC2616], Section 2.2" a token is any octet from 0 - 127 except CTL's (octets 0 - 31 + 127) and separators which NOT exclude '-' (octet 45)


So all Fine? Yes, BUT at [RFC6797], Section 6.1 the "overall reuqirements for directives", Rule 3 defines:

3. Directive names are case-insensitive.

And there is no other specification in Section 6.1.2 or has a IANA policy definition [RFC5226] like it is defined for additionals.



- That means the "directive-name" includeSubDomains is "case-insensitive"!

The "case-sensitive" camelized directive-name is misleading, because of many other definitions with "-", like seen in all examples or in Header Field itself.


- to aware the clear understanding the "directive definition" in section 6.1.2 and ALL occurences needs to be renamend.

the minimum of renaming is "includesubdomains" OR "INCLUDESUBDOMAINS", but this is not readable anymore.
- So it should be renamed like other valuless directives for Example the "schemes-source's" directives at "Content-Security-Policy", which means:

"include-sub-domains"


Best Regards

Nick

Status: Rejected (1)

RFC 6797, "HTTP Strict Transport Security (HSTS)", November 2012

Source of RFC: websec (app)

Errata ID: 4075

Status: Rejected
Type: Technical

Reported By: Eric Lawrence
Date Reported: 2014-08-08
Rejected by: Barry Leiba
Date Rejected: 2014-08-11

Section 14 says:

   Without the "includeSubDomains" directive, HSTS is unable to protect
   such Secure-flagged domain cookies.

It should say:

   Without the "includeSubDomains" directive, HSTS is unable to protect
   such Secure-flagged domain cookies.

   Even with the "includeSubDomains" directive, the unavailability of 
   an "includeParent" directive means that an Active MITM attacker can 
   perform a cookie-injection attack against an otherwise 
   HSTS-protected victim domain.

   Consider the following scenario:

    The user visits https://sub.example.com and gets a HSTS policy with
    includeSubdomains set. All subsequent navigations to 
    sub.example.com and its subdomains will be secure.

    An attacker causes the victim's browser to navigate to 
    http://example.com. Because the HSTS policy applies only to 
    sub.example.com and its superdomain matches, this insecure 
    navigation is not blocked by the user agent.

    The attacker intercepts this insecure request and returns a 
    response that sets a cookie on the entire domain tree using a 
    Set-Cookie header.

    All subsequent requests to sub.example.com carry the injected
    cookie, despite the use of HSTS.

Notes:

To mitigate this attack, HSTS-protected websites should perform a background fetch of a resource at the first-level domain. This resource should carry a HSTS header that will apply to the entire domain and all subdomains.
--VERIFIER NOTES--
This is a valid issue, but not suitable for the errata system. The websec working group is discussing handling this with a short document to update RFC 6797.

Report New Errata