Can HTTP Strict Transport Security Meaningfully Help Secure The Web?

there about, the talk was called, What Really Breaks SSL? And Ivan Ristek from SSL Labs was giving a talk about a survey of

you put on secure site dot com include subdomains then anybody who's visited secure site dot com it's gonna deny service to any of the subdomains that don't have SSL

No, that's what I said. There is definitely a first visit problem with this. And that is... That first visit problem is effectively the same as using a 302. No, because the browser does a redirect after having a first visit. Well, the browser, it's not a redirect after the first time. Like, the browser rewrites it, rewrites the request before sending any data whatsoever out to the server.

I haven't seen any statement from Safari. IE hasn't made an official statement, but all of the rumblings that I could find researched, they're like, oh, we're waiting to see whether it's more widely adopted. So take that for what you will. So the chicken neck, essentially, people aren't going to adopt it. It's probably not going to be more adopted. Sort of, although, like I said, it is picking up. The other two really heavy hitters, Firefox and Chrome, they both support it. It's not like if you send this header to, if you're using Internet Explorer and it sends this header, I mean, you can still reach the website with Internet Explorer, you're just not going to get the extra protection that the header provides. Internet Explorer's just not going to

remember the header. So sending this header doesn't break compatibility with IE.

HSTS database like on your computer? Yeah, once you download it in Chrome and it's... Oh no, it's just sitting there in a... Okay, so it's easily... Yeah, the database, it's just... In Firefox, it's sitting there in a SQLite database. In Chrome, it's sitting there in a flat text file. It's not encrypted. It's sitting there in your profile. You can go in there, add entries like I was saying there, delete entries, mung entries at will.

All right. Thank you all for coming. If you have any other questions, just let me know.

Oh, that's okay. Less coffee, more sleep. Yes? Couldn't you act instead of... the database in the browser, couldn't you in fact just put it in the DNS record in the text field? If this site is using HSTS, that the domain owner would put that text record in the DNS database, so that when you hit the DNS, you could retrieve that text record and not need the local, well I guess you'd. You'd probably, you know, then people would be looking at munching the requests for the DNS record as opposed to

Unless there was a way to encrypt, like unless there was better encryption or validation for DNS requests, you're going to have the problem. It's just moving the problem to a different part of the process. Okay. So another question. Back to my initial question. Yeah. If you're only going to make one request, like you're adding a record or something, that's the whole purpose. You're going to make one request. The different schemes of using... redirect from the server conventional 302 redirect 301 versus making the one initial request one and only question they're equivalent yeah in like in practice if you're in practice if you're only ever going to visit that site once then if you're only going to visit once or if you're only

if you're concerned about any record yeah leaking if you're if you're only ever going to visit that once, then yeah, you don't gain any additional benefit. Because the best practice for implementation of HSTS is having a redirect on your HTTP site and then kicking out the header from the HTTPS site. The only thing that's really going to protect you on a site if you're only going to visit that once is something along the lines of the preload model where your browser already knows that Because if the site that you're only going to visit once is in Google's preloaded list and you visit that site with Chrome, then it's going to rewrite that address even the first time around,

assuming that the preloaded list hasn't somehow been compromised. Very good topic. It's like this to kind of fill in the little gaps in HTTP because it's not a, for me it's always been a difficult thing to kind of Thank you. I'm glad you enjoyed it.

Thank you. It was well-constructed for people like me who are not, I don't spend a lot of time in like code and stuff. But if you have the graphs, I can follow them. So that was really nice. Thank you. I'm glad you liked it. I tried to make it technical yet still accessible. Yeah, yeah, no, you succeeded. Thank you. Yeah, I'm very happy I got questions.

Yeah, crickets make me sad, whereas, you know, if I have, you know, afterwards people are asking me things and I can, you know, hash out things that maybe went on in my head while I was doing the research, but may not have stated quite so clearly in the talk. Yes, I did.

Now I'm in the Armitage workshop for the rest of the day. Are you doing the Armitage workshop? No, I'm going to check and make my standings. Oh, I didn't realize there was a competition going on there. Nice. Yeah, and then I'll be watching the competition. What's the lap pick competition? It is blindfolded, three laps. Nice. So you have to pick your two.

pick the locks. Nice.

Oh, cool. So I was just checking the time. It's like, do I have time to try the lockpick competition before the Armageddon works off? And it's like, that might be rushed. Because it's like 10 minutes until the Armageddon works off. Yeah, exactly. Yes. It depends on how fast you are. They're just practicing. There's one, three,

and five pins. Yeah. I could probably get those. Maybe I'll peek into the lockpick village, see if I can do the contest before the Armitage workshop. Okay.

something with a couple of different backgrounds. I don't know what to change. It's quick. I'm having a head back. That's cool. I didn't know that feature, which is why you said I'm like. There's what? Yeah. Just change your color scheme. I know you can do this again. Yeah. Yeah. No, that was just, you know, default Ruby syntax

highlighting. Well, it's like my

I changed it when I changed back and forth. Okay, am I writing Java? Am I writing PHA? Am I writing C? Color, the scheme's changed and you have to find a component that works for everything. It's like, oh great, everything's awesome. I can't see the goddamn comments. It's sort of my license count. So they might think that if you take a hack. I think I'm gonna assume by the Lockwood Village and see if I can take a start at the Lockwood competition before the year.

Yeah, yeah. Could you meet me in there? It's 250, so it's kind of a .