Re: Redirects and HSTS from Anne van Kesteren on 2014-09-26 (public-webappsec@w3.org from September 2014)

From: Anne van Kesteren <annevk@annevk.nl>
Date: Fri, 26 Sep 2014 22:07:10 +0200
To: Ryan Sleevi <sleevi@google.com>
Cc: Mike West <mkwst@google.com>, Tanvi Vyas <tanvi@mozilla.com>, WebAppSec WG <public-webappsec@w3.org>
Message-ID: <CADnb78hqB3SiVH5VqdaQDUfhWstP_TzJSiUN9W3HdVfusJmJYg@mail.gmail.com>

On Fri, Sep 26, 2014 at 8:27 PM, Ryan Sleevi <sleevi@google.com> wrote:
> If I understand Anne's point, the question is: Can HSTS be used for
> tracking? The answer is Yes, and this is (briefly) discussed in Section 14.9
> of RFC 6797 ( http://tools.ietf.org/html/rfc6797#section-14.9 ), and, as
> Chris notes later in this thread, expanded upon in the context of HPKP to
> explicitly document the attack (as it also exists for HPKP, although
> slightly differently)

That does seem to cover it, although the first sentence makes it sound
more difficult than it really is.


-- 
https://annevankesteren.nl/

Received on Friday, 26 September 2014 20:07:38 UTC