1
Can HTTP Strict Transport SecurityMeaningfully Help Secure the Web?
nicolle neulistJune 2, 2012
Security B-Sides Detroit
4
Roadmap
● what is HSTS?
● how do servers implement HSTS?
● how do browsers implement HSTS?
● what are the problems in HSTS implementation, and how can they be fixed?
7
The HSTS Header
Strict-Transport-Security: max-age=expireTime
Strict-Transport-Security: max-age=expireTime; includeSubdomains
8
Things HSTS Was Designed To Address
● attackers who passively sniff traffic to gain cookies and credentials
● fake DNS server attacks
● faked websites via spoofed wireless frames
● fake sites served off of rogue wireless access points
● injection of code into insecurely embedded website content
11
How Many Sites Implement HSTS?
● according to SSL Labs, 12 out of 600,000 sites they found with valid SSL certificates used HSTS as of Spring 2010
● in their Spring 2011 survey, this number rose to 162 out of 1.2 million sites with valid SSL certificates
● according to SSL Pulse, a joint project of SSL Labs and Trustworthy Internet Movement, 1,697 of the 200,000 most popular SSL-enabled sites currently use HSTS.
12
How Many Browsers Implement HSTS?
● Mozilla Firefox has implemented HSTS since version 4.0
● Google Chrome has implemented HSTS sinceversion 4.0.211.0
● Opera has implemented HSTS since the 2.10.239 rendering engine (Opera 12.00 Beta; not available in current stable version)
● Internet Explorer and Safari do not support HSTS.
14
What the Server Does
● HTTPS site sends HSTS header to let browser know to only accept that domain name, and pos-sibly its subdomains, with SSL/TLS encryption
● if the user reaches HTTP version of the site instead, 301 redirect
15
What the Browser Does
The First Visit
User wants to see http://www.securesite.com↓
Browser does not see www.securesite.com in its database, so it requests http://www.securesite.com
↓Server sends 301 Permanent Redirect to
https://www.securesite.com↓
Browser requests https://www.securesite.com↓
Server sends https://www.securesite.com content,including its HSTS header
↓Browser saves HSTS header information
about www.securesite.com
16
What The Browser Does
● remembering the list of HSTS sites
● user-level privileges in browser profile● Firefox: sqlite3 database● Chrome: flat text file
● handling max-age
● when user starts browser, both Firefox and Chrome check max ages and clear expired entries
19
What the Browser Does
Subsequent VisitsTo Legitimatewww.securesite.com Server
User wants to see http://www.securesite.com↓
Browser sees www.securesite.com in its database, so it rewrites the request to ask for https://www.securesite.com
↓Server sends https://www.securesite.com content,
including its HSTS header↓
Browser updates HSTS header information
20
What the Browser Does
What If There's An Impostor PretendingTo Be The www.securesite.com Server?
User wants to see http://www.securesite.com↓
Browser sees www.securesite.com in its database, so it rewrites the request to ask for https://www.securesite.com
↓Malicious server returns content purported to be from https://www.securesite.com , but it is plaintext, or the
certificate does not match the one trusted by the browser↓
Browser returns server error
22
First-Visit Issue
● HSTS provides no protection the first time a user visits the site
● how would the browser know about the header before it sees the header?
● Google Chrome has implemented a hard-coded list
● used to be an array in the C++ code; now a JSON dataset
● protect fresh installs and wiped profiles● to get on the list, email the developer
23
Chrome Preloaded HSTS Issues
● scalability
● how to keep current sites on the list, and prevent denial of service if a domain stops using encryption
● Google may one day use an online database, like its Safe Browsing Database
● malicious builds
● ...who MD5s their software, anyway?
25
Misimplementation of Subdomains
User wants to see http://www.securesite.com, but only typessecuresite.com into his browser
↓User has a malicious DNS server configured, so DNS
for securesite.com resolves to 10.0.0.1.↓
Browser sends GET request to 10.0.0.1 for http://securesite.com↓
Server at 10.0.0.1 sends malicous contentpassed off as http://securesite.com
↓Browser displays spoofed http://securesite.com to User
26
Misimplementation of Subdomains
User wants to see http://www.securesite.com, but only typessecuresite.com into his browser
↓Browser goes to http://securesite.com
↓Server sends 302 Found for https://securesite.com
↓Browser requests https://securesite.com
↓Server sends 301 Permanent Redirect to
https://www.securesite.com↓
Browser requests https://www.securesite.com ↓
Server responds with https://www.securesite.com content,including HSTS header for www.securesite.com
27
Misimplementation of Subdomains
if securesite.com is just a redirect to www.securesite.com, then securesite.com
needs an HSTS header.
28
HSTS Database Adulteration
● HSTS lists are saved in user profile
● no root or Administrator permissions required to change max-age, or just delete the HSTS database
● why is this a problem?
● hitting the legitimate site again will resend the header information
● dangerous when paired with a rogue DNS server
29
HSTS Database Adulteration
● clean_hsts.rb
● Windows Metasploit post-exploitation module● clears out HSTS databases for both Firefox and
Chrome● installs a Windows registry key to clear out the
database on boot for the user, or all users if the script has administrative privileges
● available at http://www.rogueclown.net/clean_hsts.rb
30
HSTS Database Adulteration
● how can this be fixed?
● Google Chrome Preloaded HSTS● any other ways to get around this, given the design goal
of a mechanism transparent to the user?
31
Any Questions?
● email: [email protected]
● Twitter: @rogueclown
● website: http://www.rogueclown.net
● or, just find me at the conference!