0xdac17f958d2ee523a2206206994597c13d831ec7
RFC 6797 HTTP Strict Transport Security (HSTS) November 2012
14. Security Considerations .......................................32
14.1. Underlying Secure Transport Considerations ...............32
14.2. Non-Conformant User Agent Implications ...................33
14.3. Ramifications of HSTS Policy Establishment Only over
Error-Free Secure Transport ..............................33
14.4. The Need for includeSubDomains ...........................34
14.5. Denial of Service ........................................35
14.6. Bootstrap MITM Vulnerability .............................36
14.7. Network Time Attacks .....................................37
14.8. Bogus Root CA Certificate Phish plus DNS Cache
Poisoning Attack .........................................37
14.9. Creative Manipulation of HSTS Policy Store ...............37
14.10. Internationalized Domain Names ..........................38
15. IANA Considerations ...........................................39
16. References ....................................................39
16.1. Normative References .....................................39
16.2. Informative References ...................................40
Appendix A. Design Decision Notes .................................44
Appendix B. Differences between HSTS Policy and Same-Origin
Policy ................................................45
Appendix C. Acknowledgments .......................................46
1. Introduction
HTTP [RFC2616] may be used over various transports, typically the
Transmission Control Protocol (TCP). However, TCP does not provide
channel integrity protection, confidentiality, or secure host
identification. Thus, the Secure Sockets Layer (SSL) protocol
[RFC6101] and its successor, Transport Layer Security (TLS) [RFC5246]
were developed in order to provide channel-oriented security and are
typically layered between application protocols and TCP. [RFC2818]
specifies how HTTP is layered onto TLS and defines the Uniform
Resource Identifier (URI) scheme of "https" (in practice, however,
HTTP user agents (UAs) typically use either TLS or SSL3, depending
upon a combination of negotiation with the server and user
preferences).
UAs employ various local security policies with respect to the
characteristics of their interactions with web resources, depending
on (in part) whether they are communicating with a given web
resource's host using HTTP or HTTP-over-Secure-Transport. For
example, cookies ([RFC6265]) may be flagged as Secure. UAs are to
send such Secure cookies to their addressed host only over a secure
transport. This is in contrast to non-Secure cookies, which are
returned to the host regardless of transport (although subject to
other rules).
Hodges, et al. Standards Track [Page 4]