can http strict transport security meaningfully help secure
TRANSCRIPT
1
Can HTTP Strict Transport SecurityMeaningfully Help Secure the Web?
nicolle neulistJune 2, 2012
Security B-Sides Detroit
2
o hai.
3
Why Think About HTTPStrict Transport Security?
4
Roadmap
● what is HSTS?
● how do servers implement HSTS?
● how do browsers implement HSTS?
● what are the problems in HSTS implementation, and how can they be fixed?
5
What Is HTTP Strict Transport Security?
6
HSTS at 30,000 Feet
policy mechanism used to force browsersto show a website securely.
7
The HSTS Header
Strict-Transport-Security: max-age=expireTime
Strict-Transport-Security: max-age=expireTime; includeSubdomains
8
Things HSTS Was Designed To Address
● attackers who passively sniff traffic to gain cookies and credentials
● fake DNS server attacks
● faked websites via spoofed wireless frames
● fake sites served off of rogue wireless access points
● injection of code into insecurely embedded website content
9
Things HSTS Was Not Designed To Address
● phishing attacks
● browser vulnerabilities
● malware
10
How Widely IsHTTP Strict Transport Security
Implemented?
11
How Many Sites Implement HSTS?
● according to SSL Labs, 12 out of 600,000 sites they found with valid SSL certificates used HSTS as of Spring 2010
● in their Spring 2011 survey, this number rose to 162 out of 1.2 million sites with valid SSL certificates
● according to SSL Pulse, a joint project of SSL Labs and Trustworthy Internet Movement, 1,697 of the 200,000 most popular SSL-enabled sites currently use HSTS.
12
How Many Browsers Implement HSTS?
● Mozilla Firefox has implemented HSTS since version 4.0
● Google Chrome has implemented HSTS sinceversion 4.0.211.0
● Opera has implemented HSTS since the 2.10.239 rendering engine (Opera 12.00 Beta; not available in current stable version)
● Internet Explorer and Safari do not support HSTS.
13
How IsHTTP Strict Transport Security
Implemented?
14
What the Server Does
● HTTPS site sends HSTS header to let browser know to only accept that domain name, and pos-sibly its subdomains, with SSL/TLS encryption
● if the user reaches HTTP version of the site instead, 301 redirect
15
What the Browser Does
The First Visit
User wants to see http://www.securesite.com↓
Browser does not see www.securesite.com in its database, so it requests http://www.securesite.com
↓Server sends 301 Permanent Redirect to
https://www.securesite.com↓
Browser requests https://www.securesite.com↓
Server sends https://www.securesite.com content,including its HSTS header
↓Browser saves HSTS header information
about www.securesite.com
16
What The Browser Does
● remembering the list of HSTS sites
● user-level privileges in browser profile● Firefox: sqlite3 database● Chrome: flat text file
● handling max-age
● when user starts browser, both Firefox and Chrome check max ages and clear expired entries
17
What the Browser Does
18
What the Browser Does
19
What the Browser Does
Subsequent VisitsTo Legitimatewww.securesite.com Server
User wants to see http://www.securesite.com↓
Browser sees www.securesite.com in its database, so it rewrites the request to ask for https://www.securesite.com
↓Server sends https://www.securesite.com content,
including its HSTS header↓
Browser updates HSTS header information
20
What the Browser Does
What If There's An Impostor PretendingTo Be The www.securesite.com Server?
User wants to see http://www.securesite.com↓
Browser sees www.securesite.com in its database, so it rewrites the request to ask for https://www.securesite.com
↓Malicious server returns content purported to be from https://www.securesite.com , but it is plaintext, or the
certificate does not match the one trusted by the browser↓
Browser returns server error
21
What Are The Problems WithHTTP Strict Transport Security
Implementation?
22
First-Visit Issue
● HSTS provides no protection the first time a user visits the site
● how would the browser know about the header before it sees the header?
● Google Chrome has implemented a hard-coded list
● used to be an array in the C++ code; now a JSON dataset
● protect fresh installs and wiped profiles● to get on the list, email the developer
23
Chrome Preloaded HSTS Issues
● scalability
● how to keep current sites on the list, and prevent denial of service if a domain stops using encryption
● Google may one day use an online database, like its Safe Browsing Database
● malicious builds
● ...who MD5s their software, anyway?
24
Misimplementation of Subdomains
users are lazy.
25
Misimplementation of Subdomains
User wants to see http://www.securesite.com, but only typessecuresite.com into his browser
↓User has a malicious DNS server configured, so DNS
for securesite.com resolves to 10.0.0.1.↓
Browser sends GET request to 10.0.0.1 for http://securesite.com↓
Server at 10.0.0.1 sends malicous contentpassed off as http://securesite.com
↓Browser displays spoofed http://securesite.com to User
26
Misimplementation of Subdomains
User wants to see http://www.securesite.com, but only typessecuresite.com into his browser
↓Browser goes to http://securesite.com
↓Server sends 302 Found for https://securesite.com
↓Browser requests https://securesite.com
↓Server sends 301 Permanent Redirect to
https://www.securesite.com↓
Browser requests https://www.securesite.com ↓
Server responds with https://www.securesite.com content,including HSTS header for www.securesite.com
27
Misimplementation of Subdomains
if securesite.com is just a redirect to www.securesite.com, then securesite.com
needs an HSTS header.
28
HSTS Database Adulteration
● HSTS lists are saved in user profile
● no root or Administrator permissions required to change max-age, or just delete the HSTS database
● why is this a problem?
● hitting the legitimate site again will resend the header information
● dangerous when paired with a rogue DNS server
29
HSTS Database Adulteration
● clean_hsts.rb
● Windows Metasploit post-exploitation module● clears out HSTS databases for both Firefox and
Chrome● installs a Windows registry key to clear out the
database on boot for the user, or all users if the script has administrative privileges
● available at http://www.rogueclown.net/clean_hsts.rb
30
HSTS Database Adulteration
● how can this be fixed?
● Google Chrome Preloaded HSTS● any other ways to get around this, given the design goal
of a mechanism transparent to the user?
31
Any Questions?
● email: [email protected]
● Twitter: @rogueclown
● website: http://www.rogueclown.net
● or, just find me at the conference!