Can HTTP Strict Transport Security Meaningfully Help Secure the Web? nicolle neulist June 2, 2012 Security B-Sides Detroit

Transcription

1 Can HTTP Strict Transport Security Meaningfully Help Secure the Web? nicolle neulist June 2, 2012 Security B-Sides Detroit 1

2 2 o hai.

3 3 Why Think About HTTP Strict Transport Security?

4 Roadmap what is HSTS? how do servers implement HSTS? how do browsers implement HSTS? what are the problems in HSTS implementation, and how can they be fixed? 4

5 5 What Is HTTP Strict Transport Security?

6 HSTS at 30,000 Feet policy mechanism used to force browsers to show a website securely. 6

7 The HSTS Header Strict-Transport-Security: max-age=expiretime Strict-Transport-Security: max-age=expiretime; includesubdomains 7

8 Things HSTS Was Designed To Address attackers who passively sniff traffic to gain cookies and credentials fake DNS server attacks faked websites via spoofed wireless frames fake sites served off of rogue wireless access points injection of code into insecurely embedded website content 8

9 Things HSTS Was Not Designed To Address phishing attacks browser vulnerabilities malware 9

10 10 How Widely Is HTTP Strict Transport Security Implemented?

11 How Many Sites Implement HSTS? according to SSL Labs, 12 out of 600,000 sites they found with valid SSL certificates used HSTS as of Spring 2010 in their Spring 2011 survey, this number rose to 162 out of 1.2 million sites with valid SSL certificates according to SSL Pulse, a joint project of SSL Labs and Trustworthy Internet Movement, 1,697 of the 200,000 most popular SSL-enabled sites currently use HSTS. 11

12 How Many Browsers Implement HSTS? Mozilla Firefox has implemented HSTS since version 4.0 Google Chrome has implemented HSTS since version Opera has implemented HSTS since the rendering engine (Opera Beta; not available in current stable version) Internet Explorer and Safari do not support HSTS. 12

13 13 How Is HTTP Strict Transport Security Implemented?

14 What the Server Does HTTPS site sends HSTS header to let browser know to only accept that domain name, and possibly its subdomains, with SSL/TLS encryption if the user reaches HTTP version of the site instead, 301 redirect 14

15 What the Browser Does The First Visit User wants to see Browser does not see in its database, so it requests Server sends 301 Permanent Redirect to Browser requests Server sends content, including its HSTS header Browser saves HSTS header information about 15

16 What The Browser Does remembering the list of HSTS sites user-level privileges in browser profile Firefox: sqlite3 database Chrome: flat text file handling max-age when user starts browser, both Firefox and Chrome check max ages and clear expired entries 16

17 17 What the Browser Does

18 18 What the Browser Does

19 What the Browser Does Subsequent VisitsTo Legitimate Server User wants to see Browser sees in its database, so it rewrites the request to ask for Server sends content, including its HSTS header Browser updates HSTS header information 19

20 What the Browser Does What If There's An Impostor Pretending To Be The Server? User wants to see Browser sees in its database, so it rewrites the request to ask for Malicious server returns content purported to be from but it is plaintext, or the certificate does not match the one trusted by the browser Browser returns server error 20

21 21 What Are The Problems With HTTP Strict Transport Security Implementation?

22 First-Visit Issue HSTS provides no protection the first time a user visits the site how would the browser know about the header before it sees the header? Google Chrome has implemented a hard-coded list used to be an array in the C++ code; now a JSON dataset protect fresh installs and wiped profiles to get on the list, the developer 22

23 Chrome Preloaded HSTS Issues scalability how to keep current sites on the list, and prevent denial of service if a domain stops using encryption Google may one day use an online database, like its Safe Browsing Database malicious builds...who MD5s their software, anyway? 23

24 Misimplementation of Subdomains users are lazy. 24

25 Misimplementation of Subdomains User wants to see but only types securesite.com into his browser User has a malicious DNS server configured, so DNS for securesite.com resolves to Browser sends GET request to for Server at sends malicous content passed off as Browser displays spoofed to User 25

26 Misimplementation of Subdomains User wants to see but only types securesite.com into his browser Browser goes to Server sends 302 Found for Browser requests Server sends 301 Permanent Redirect to Browser requests Server responds with content, including HSTS header for 26

27 Misimplementation of Subdomains if securesite.com is just a redirect to then securesite.com needs an HSTS header. 27

28 HSTS Database Adulteration HSTS lists are saved in user profile no root or Administrator permissions required to change max-age, or just delete the HSTS database why is this a problem? hitting the legitimate site again will resend the header information dangerous when paired with a rogue DNS server 28

29 HSTS Database Adulteration clean_hsts.rb Windows Metasploit post-exploitation module clears out HSTS databases for both Firefox and Chrome installs a Windows registry key to clear out the database on boot for the user, or all users if the script has administrative privileges available at 29

30 HSTS Database Adulteration how can this be fixed? Google Chrome Preloaded HSTS any other ways to get around this, given the design goal of a mechanism transparent to the user? 30

31 Any Questions? website: or, just find me at the conference! 31