towards https everywhere and strict transport security (was: Has there been a change in US banking regulations recently?)

=JeffH Jeff.Hodges at KingsMountain.com
Fri Aug 20 14:58:52 EDT 2010 

fyi, this is a heads-up about on-going work in this area...

pgut001 at cs.auckland.ac.nz wondered:
 > I noticed that Bank of America ... now finally use HTTPS on their home
 > page, and redirect HTTP to HTTPS ...  Wachovia now do it too.  And Citibank
 > at least redirect you to an HTTPS page.  And so does US Bank ...
 > What on earth happened?  Was there a change in banking regulations in
 > the last few months?


fungi at yuggoth.org replied:
 >
 > On Fri, Aug 13, 2010 at 09:32:57AM -0700, Jeff Simmons noted:
 >
 >> It wouldn't surprise me if there's been some blowback from the
 >> adoption of PCI-DSS (Payment Card Industry Data Security
 >> Standards). As someone who has had to help several small to medium
 >> size businesses comply with these 'voluntary' standards, the irony
 >> of the fact that the big banks that require them often aren't in
 >> compliance themselves hasn't escaped my notice.
 >
 > In the past month, we've had several customers at work suddenly insist that
 > we make modifications to their firewalls and/or load balancers to redirect
 > *all* incoming HTTP traffic to HTTPS (which of course isn't always entirely
 > sane to do on proxying devices, but they apparently don't trust their server
 > admins to maintain an HTTP redirect). Most of them cited requirements from
 > their PCI-DSS auditors. ...


Coincidentally with this apparent PCI-induced trickle-down of default 
employment of HTTPS, there's been relatively recent work on enabling web sites' 
declaration of security policies, and browser-side enforment of such.

Presently there's a patchwork quilt of approaches, two in particular are 
directly on-topic with the spirit of the above questions and observations...

   EFF's HTTPS Everywhere (Peter Eckersley et al)
   https://www.eff.org/https-everywhere/

   HTTP Strict Transport Security (HSTS)
   http://en.wikipedia.org/wiki/Strict_Transport_Security


WRT the latter, we're forming a new IETF WG where it'll be finalized, along 
with a couple of other I-Ds (which are related patches in the quilt)..

   HASMAT Charter Proposal
   http://www.ietf.org/mail-archive/web/hasmat/current/msg00006.html


Not-coincidentally, the W3C is working towards establishing a web app security 
working group, where the related Mozilla "content security policy" work (as 
well as present W3C work on secure Cross-Origin Resource Sharing) is slated to 
land..

   W3C Web App Security WG charter strawman
   http://www.w3.org/2010/07/appsecwg-charter.html

   Content Security Policy
   http://people.mozilla.com/~bsterne/content-security-policy/


pgut001 at cs.auckland.ac.nz also observed:
 >
 >  Given the million [0] easier attack vectors against
 > web sites, which typically range from "trivial" all the way up to "relatively
 > easy" ...
 > [0] Figure exaggerated slightly for effect.

Indeed. WRT to this plethora of web attack vectors, the present patchwork quilt 
of remedies, and thoughts on how to go about more holistically approaching the 
issues, please see..

   The Need for Coherent Web Security Policy Framework(s)
   http://w2spconf.com/2010/papers/p11.pdf



HTH,

=JeffH
Internet Standards and Governance Team
PayPal Information Risk Management




---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list