[Noisebridge-announce] Bay Area Hackers - HTTP Strict Transport Security by Jeff Hodges

travis+ml-noisebridge-announce at subspacefield.org travis+ml-noisebridge-announce at subspacefield.org
Tue Oct 4 21:40:38 UTC 2011

Bay Area (Hacker's Association|Security Enthusiasts) Meeting!

2nd Sunday of every month, 2pm, at Noisebridge, in the main area.

It lasts until it's over.

It's for people interested in security, not the more general "make
stuff" kind of hacking.

Date of Meeting:
9 Oct 2011 1400L (2pm)

This month we present:

Jeff Hodges


HTTP Strict Transport Security Policy

HTTP is often layered over a secure transport (TLS or SSL) and the
availability of a web site via HTTP-over-a-Secure-Transport can be
signaled via URIs employing the "https" URI scheme,
e.g. "https://www.example.com/". However, user agents facilitate user
entry of URIs, even URI fragments, typically resulting in the use of
insecure http-over-TCP by default, even for web sites whose
administrators wish to be accessed only over secure transport. This
results in both the site and the users being rendered vulnerable to
various passive and active attacks. Also, although it is possible to
offer, over secure transport, rogue web sites masquerading as
legitimate ones, interactions with such rogue sites typically cause
the user agent to display various warnings to their users. Yet by
default, user agents typically provide means for the user to dismiss
the warnings and proceed to interact with the (possibly malicious)
site. The HTTP Strict Transport Security (STS) Policy addresses the
foregoing use cases by providing means for a web site to signal to
user agents that they should interact with the site only over secure
transport, and to fail any secure transport connection attempts upon
any and all errors (preferably without user recourse). This talk
outlines the various threats addressed, the countermeasures provided
by sites and user agents wielding STS, and the mechanism for signaling
the STS policy. Will also try to remark on CA & cert pinning.

About the Author:

Jeff Hodges is a now somewhat less befuddled but more cynical n00b in
the area of web security, who'd in prior incarnations nosed around in
the identity and directory worlds, and is haunted from time-to-time by
their ghosts. Besides struggling with 8th grade geometry and 5th grade
math in the evenings with his oh so charming sons, and trying to get
outdoors once in a while, his interests lie in seeing about making the
web..er..Internets "safer" and whatever that might entail. Of late it
means learning way more about internationalized domain names and the
ugly underbelly of PKI "infrastructure" than he ever wanted to.

He's been sighted hanging out in various Internet Engineering Task
Force (IETF) working group sessions over the years (in (web)
applications and security areas), as well as nosing about in the W3C
context, OASIS, and the Liberty Alliance (RIP). He's somewhat to blame
for some aspects of SAML and LDAP, and some derivations of the
former. The Stanford community still suffers as far as he knows with
some aspects of the Registry/Directory infrastructure he helped design
and deploy, as well as the email addressing regime based up it.



2169 Mission St, San Francisco, CA, Earth, Milky Way, Known Universe

Finding the space can be tricky; it has a red circular logo above the
otherwise inconspicuous door, and is next to a market that sells
fruit.  It is very close to 16th and Mission BART stop.  If you're
driving, leave 15-30 minutes extra to find parking due to the heavy
traffic around there, but you do not have to pay on Sundays.


If you would like to be a speaker, or know someone who would,
please let us know.

Our Site:


Includes google calendar (never miss another meeting), directions,
link to mailing list, etc.  Please check it out.
My computer just beat me at Go, but it was no match for me at MMA.
If you are a spammer, please email john at subspacefield.org to get blacklisted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 834 bytes
Desc: not available
URL: <http://www.noisebridge.net/pipermail/noisebridge-announce/attachments/20111004/31070c41/attachment.sig>

More information about the Noisebridge-announce mailing list