Proposal: the application must belong/covered to the HSTS preload list (probably level 3) #1941
Comments
tghosth
added
1) Discussion ongoing
|
This is quite high effort for a relatively small benefit (basically the first website load per browser) Not sure I would want to mandate it. |
Just in case - it is valid only for one application context. HSTS preload covers a larger scope than just one application, it's more a company or organization-level guarantee, that everything goes over HTTPS. |
|
HSTS preload is specific to one registerable domain. It must be deployed on a domain-by-domain basis.
It is not organization wide when an organization manages multiple domains.
|
Oh well. My point is, that the company or organization can manage larger risks at once by adding an entire domain to the HSTS preload list. In my opinion, banks, governments, etc should have it set. Is it worth a requirement - I think a level 3 requirement would be reasonable, but I'm ok with a recommendation row as well.
It may also include TLD. |
|
I'm leaning towards a recommendation. Aside from anything else there is also the "bricking" risk if it is done unwisely. |
|
Opened #1952 |
|
I was thinking more about it and I'm leaning towards level 3 requirement, I think recommendation is not enough. From @tghosth
What I did not point out clearly, is that without HSTS preload it is possible to serve any HTTP service from the Same-Site scope with the critical application. This is a way more important vector to eliminate compared to the first HTTP request to the application. Let's say there is an application served from Does it change your mind, @tghosth ? |
|
This is very good information and new to me. Thank you Elar. I am with you on this.
|
|
@elarlang if I understand correctly, the main problem here is that the domain does not have HSTS with sub-domains set at https://bank.tld If it did have that (and the user was guaranteed to get there on first load), then your scenario would only work if the user had never been to https://bank.tld before. Is that correct? See for example that when you browse to https://www.stripe.com, the very first thing it does is redirect you to https://stripe.com which has an HSTS header
|
The boolean answer is true, but it requires some context. For this "guaranteed redirect scenario" through the main domain, the But if you do so, then any given arguments against The main topic here is that it is easy to understand and implement if it is But @tghosth - just in case, you asked a question, but what was your point and message behind that? I was thinking about it more and actually, there is a good question, is it in the scope for the application, which is served from |
So this complexity makes me feel even more uncomfortable about mandating HSTS at the root tld level. The number of moving parts to implement HSTS and preload at the |
|
I agree, that effort can be huge for some legacy systems, when you have "mess in the house". At the same time, for new organisations and application, it must be cornerstone for building things. The price is clear - control over Same-Site scope. Then no-one can use trusted domain for phisnig (yes, it does not stop phising), no cookie manipulation for apps, no cookie leakage for apps (in case those are misconfigured with Also note, that we give similar direction with other requirement:
Me and you can theorize here further, but I think we need some additional views. Probably it's worth asking in social media, why big companies use or don't use the |
tghosth
added
the
Community wanted
|
OK so I think these are our possible suggestions:
If I understand correctly, you support 2) and I am most incline to support a combination of 1) and 4). Do you agree with my interpretation? If so, I will try and get wider feedback. |
|
I think we have only 2 options - 1 and 2. Option 3 is something that I could call the "development stage" for implementing HSTS preload. The entire redirection thingy seems risky, but - technically, (I have not tested it) - is there a navigation request required to have the HSTS statement set to the browser, or for example, loading an image is enough? E. g. if from Option 4 is not supported by HSTS preload list. If you try to check the subdomain (which is not
Note: "...with the subdomains attribute" - using the
So, in my opinion - our options are simple - should we only recommend it or can we require it? For the perspective - most likely the new ASVS version will be valid for "non-braking-changes" for many years, this is something to keep in mind. |
|
From my point of view, the question should be: Are there any valid reasons not to have HSTS preload as a requirement? Context: level 3 requirement for applications with critical business value and/or highly sensitive data. |
|
Ok so the basic question is, should HSTS preload at the top level domain be a L3 requirement or a recommendation? Curious to see what @jmanico @ryarmst @Sjord @ImanSharaf @EnigmaRosa @csfreak92 @meghanjacquot have to say |
|
My mindset for requirements that may be difficult or complicated for legacy systems. Legacy systems are built in their time and are expected to be not compatible by default with new requirements. It is the same way everywhere - take for example requirements for new cars, requirements for building new houses, etc. There are reasons for having new requirements. If those new requirements are reasonable to require for new systems that are built today and from scratch, we should have those requirements in. We don't need to legalize old and insecure systems to be compatible with new standards. |
This is called "subdomain takeover" similar[1]. Do we have requirements for this? I think that would address your top concern, @elarlang Now regarding the "first hit" problem. I suggest supporting only HTTPS and not HTTP at all. For APIs, I never enable port 80 for HTTP. It's only websites that sometimes enable port 80. Since browsers have started defaulting to HTTPS[2], the chance of making HTTP requests to a site on the first hit has decreased. [1] https://blog.chromium.org/2023/08/towards-https-by-default.html |
|
Subdomain takeover - we did not add this requirement (#1788) as it was out of scope (infrastructure question). It is related from the "trusted same-site scope" point of view. But if you are able to take over the subdomain and there is the HSTS preload, how do you get trusted certificates for serving a malicious service from the subdomain? So HSTS preload may have a strong say against this vector as well. For HTTPS only we have 9.1.1 |
If you have taken over the subdomain you can just request a valid certificate from Lets Encrypt or any other CA, right? |
I'm not an expert in that area. My logic (not served as a fact) says that you should not be able to do it if you have a wildcard certificate on the main domain. |
|
Wildcard certificates do not inherently prevent certificate issuance for specific subdomains. If an attacker controls sub.example.com, they can still request a certificate for sub.example.com because the control over that specific subdomain can be shown to the CA. For example, some CA's provide a token that must be placed at a specific URL on the subdomain. The CA then checks if the token is accessible at that URL. CAA[1] does prevent certificate issuance from different CA's. That's a better control than wildcard certs to (somewhat) prevent subdomain takeover. [1] https://en.wikipedia.org/wiki/DNS_Certification_Authority_Authorization |
|
Hi @elarlang, can you confirm if you have a specific problem with @Sjord's wording? To me it seemed to match out overall approach of being positive, solving a specific security problem but not being too prescriptive.
What do you think? |
|
I still have the same question #1941 (comment)
I don't have the answer to that, yet. |
|
Oh yeah, thanks for the clarification. would an HTTPS DNS record solve "protect the same-site scope against malicious http: services"? I am guessing not? |
|
No. @elarlang correctly explained the attack scenario earlier:
HSTS preload on bank.tld would prevent that.
Sometimes the application developers are in control of the site, and sometimes they are not. It varies, depending on company structure. That does not necessarily mean this cannot be a requirement. We also require TLS connections to the database, even though the database server is managed by someone else. |
|
So @Sjord it sounds like HSTS preload covers all the attack scenarios. It leaves us with that theoretical issue of having to move to a different domain but I am not sure that is enough to justify not requiring it for level 3. |
I think I have made my case, I wasn't planning on responding to this further. |
|
Opened a PR |
|
Current requirement:
Current section: V50.3 Browser Security Mechanism Headers It is questionable, should it belong to this section. As it is registered in the list and is implemented directly into the browsers, getting into the list and getting out from the list is done via browser updates, not response headers - so I propose to move it to V50.8 Other Browser Security Considerations Or if to make V50.1 more abtract to fit it there. |
elarlang
removed
Community wanted
|
50.8 seems reasonable to me.
|
|
Agree with v50.8, PR @elarlang ? |
The topic is discussed before - #966, but as there is offtopic noise, I open a new issue.
Problem to solve: if the browser makes the first HTTP request to the application domain, it must be forced over HTTPS connection. That can be achieved by registering the main domain (if not covered by TLD) to the HSTS preload list.
Note, that just adding the
preloaddirective into theStrict-Transport-SecurityHTTP response header does not have any effect. Although related, it also means, that the requirement does not fit the section "V50.2 Browser Security Mechanism Headers". As it is browser related, it should belong to the paragraph "V50 Web Frontend Security".Now the challenge is how to write it as a requirement. We can not ask the application hostname to be in the preload list. It can be covered by the main domain or by the TLD (
.dev)The text was updated successfully, but these errors were encountered: