Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.
Sign upsts-3.3: Add the preload key #295
Conversation
|
Looks good to me. No version bump required, the new key is backwards compatible. |
|
Added links to sections the text is talking about. |
|
Added paragraph telling clients to ignore the preload key unless they are looking to confirm that the server requests to be included in STS preload lists. We could also mention that this (ignoring) applies to the vast majority of clients. |
| Servers SHOULD verify whether the hostname provided to them via SNI is a | ||
| hostname that is whitelisted for preloading by administrators to determine | ||
| whether or not to advertise this key. | ||
| If no hostname is available via SNI, this key SHOULD NOT be sent. |
DarthGandalf
Jan 11, 2017
Member
How does HTTP do it?
How does HTTP do it?
attilamolnar
Jan 11, 2017
Author
Member
HTTP has the Host: header
HTTP has the Host: header
|
I'll merge this at the end of the week if there are no objections. |
|
Sorry for the late suggestion, but could you flesh out this part some more?
It should be explained to a reader why this recommendation is being made, I don't think it's completely obvious as written. An example of the risk to server operators of not checking the hostname would be good. |
I guess the main risk here is that an IRC network has other A record entries (or indeed a wildcard entry that points all subdomains at a certain IP address) that they may not want an STS policy stored persistently for - blindly sending the |
|
@jwheare which section do you suggest putting the explanation in? |
|
Just right after it's mentioned for now. We can move it around and finesse it if needed once the main gist is written down. |
…he hostname in SNI
|
Thanks a lot, I'll take a closer look at this when I have a chance and suggest some improved wording. |
…TS policy as a whole, rather than be limited to the preload key
|
I split out the SNI recommendation to cover the whole policy, rather than be limited to preload. |
|
@jwheare Makes sense, LGTM |
|
Thanks, any final comments from anyone else before this is merged? |
| @@ -205,7 +241,8 @@ discussed in General security considerations. | |||
| As further protection against bootstrap MITM vulnerabilities, clients may choose to | |||
| include a pre-loaded list of known hosts with STS policies. Such lists should be | |||
| compiled on an opt-in basis, by request of IRC network administrators. Hosts should be | |||
| verified to be correctly advertising an STS policy before inclusion. | |||
| verified to be correctly advertising an STS policy, as well as a | |||
| [preload policy](#the-preload-key) before inclusion. | |||
ProgVal
Jul 11, 2017
Contributor
Could you make it explicit that preload implies “by request of IRC network administrators”?
Could you make it explicit that preload implies “by request of IRC network administrators”?
jwheare
Jul 11, 2017
Member
How should this be worded to make it more clear to you?
How should this be worded to make it more clear to you?
ProgVal
Jul 11, 2017
•
Contributor
“by request of IRC network administrators via the preload key”
“by request of IRC network administrators via the preload key”
ProgVal
Jul 12, 2017
Contributor
perfect
perfect
| @@ -274,7 +311,7 @@ server may be offered at a different domain name, for example a subdomain. | |||
|
|
|||
| It's possible for an attacker to strip the STS `port` value from an initial connection | |||
| established via an insecure connection, before the policy has been cached by the client. | |||
| This represents a Bootstrap MITM (man-in-the-middle) vulnerability. | |||
| This represents a bootstrap MITM (man-in-the-middle) vulnerability. | |||
SISheogorath
Jul 12, 2017
"MITM" is explained in this part, but not in line 236. Since 236 is earlier it would make sense to move the (man-in-the-middle) up there or remove it completely.
"MITM" is explained in this part, but not in line 236. Since 236 is earlier it would make sense to move the (man-in-the-middle) up there or remove it completely.
jwheare
Jul 12, 2017
Member
Yeah this bothered me a tiny bit too, but well, this is the part that actually talks about it, line 236 is a reference to this part of the spec.
We could alternatively move this section further up, changing the order to:
- General Security considerations
- Client implementation considerations
- Server implementation considerations
Yeah this bothered me a tiny bit too, but well, this is the part that actually talks about it, line 236 is a reference to this part of the spec.
We could alternatively move this section further up, changing the order to:
- General Security considerations
- Client implementation considerations
- Server implementation considerations
lol768
Jul 13, 2017
Contributor
Nit: Most of the literature I've seen doesn't capitalise the minor words in the initialism, so I'd expect to see MitM(e.g. see http://ieeexplore.ieee.org/document/7546529/?reload=true)
Nit: Most of the literature I've seen doesn't capitalise the minor words in the initialism, so I'd expect to see MitM(e.g. see http://ieeexplore.ieee.org/document/7546529/?reload=true)
|
LGTM, will be nice to see the preload stuff in the spec |
This is one way to check whether a server wishes to be included in preload lists. Another method, proposed by
eon IRC is to request a signature from a valid certificate when submitting servers to a preload list.