Can HTTP Strict Transport Security Meaningfully Help Secure the Web? nicolle neulist June 2, 2012 Security B-Sides Detroit

Similar documents
MODERN WEB APPLICATION DEFENSES

Don't Trust The Locals: Exploiting Persistent Client-Side Cross-Site Scripting in the Wild

Welcome to the OWASP TOP 10

Tabular Presentation of the Application Software Extended Package for Web Browsers

Evaluating the Security Risks of Static vs. Dynamic Websites

Scan Report Executive Summary

Scan Report Executive Summary. Part 2. Component Compliance Summary Component (IP Address, domain, etc.):ekk.worldtravelink.com

HTTP Security Headers Explained

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

Sichere Software vom Java-Entwickler

Scan Report Executive Summary

Moving your website to HTTPS - HSTS, TLS, HPKP, CSP and friends

DID WE LOSE THE BATTLE FOR A SECURE WEB?

Defeating All Man-in-the-Middle Attacks

A Federal Agency Guide to Complying with Binding Operational Directive (BOD) 18-01

HSTS Supports Targeted Surveillance

HTTPS and the Lock Icon

The security of Mozilla Firefox s Extensions. Kristjan Krips

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

High -Tech Bridge s Web Server Security Service API Developer Documentation Version v1.3 February 13 th 2018

Online (in)security: The current threat landscape Nikolaos Tsalis

Wayward Wi-Fi. How Rogue Hotspots Can Hijack Your Data and Put Your Mobile Devices at Risk

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

Using HTTPS - HSTS, TLS, HPKP, CSP and friends

Requirements from the Application Software Extended Package for Web Browsers

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

Bank Infrastructure - Video - 1

KASPERSKY FRAUD PREVENTION FOR ENDPOINTS

The Cisco HCM-F Administrative Interface

Scan Report Executive Summary. Part 2. Component Compliance Summary Component (IP Address, domain, etc.):

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

Security and Privacy

django-secure Documentation

Installation and usage of SSL certificates: Your guide to getting it right

Acknowledgments... xix

PROTECTING YOUR BUSINESS ASSETS

P2_L12 Web Security Page 1

Custom Plugin A Solution to Phishing and Pharming Attacks

Crypto meets Web Security: Certificates and SSL/TLS

CS 155 Final Exam. CS 155: Spring 2012 June 11, 2012

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

Unique Phishing Attacks (2008 vs in thousands)

Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and (Possibly)

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

Robust Defenses for Cross-Site Request Forgery Review

MTAT Research Seminar in Cryptography The Security of Mozilla Firefox s Extensions

Handout 20 - Quiz 2 Solutions

Endpoint Security - what-if analysis 1

Certified Secure Web Application Security Test Checklist

How to Configure SSL VPN Portal for Forcepoint NGFW TECHNICAL DOCUMENT

Web Security. New Browser Security Technologies

CPM Quick Start Guide V2.2.0

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

Network-based Origin Confusion Attacks against HTTPS Virtual Hosting

Browser Guide for PeopleSoft

Overview of SSL/TLS. Luke Anderson. 12 th May University Of Sydney.

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

Secure Frame Communication in Browsers Review

Uniform Resource Locators (URL)

NETWORK SECURITY. Ch. 3: Network Attacks

Author: Tonny Rabjerg Version: Company Presentation WSF 4.0 WSF 4.0

Detecting Drive-by-Download Attacks based on HTTP Context-Types Ryo Kiire, Shigeki Goto Waseda University

CTS2134 Introduction to Networking. Module 08: Network Security

Lecture Overview. IN5290 Ethical Hacking

Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks

SSL Report: ( )

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

Post Connection Attacks

SECURITY STORY WE NEVER SEE, TOUCH NOR HOLD YOUR DATA

OWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13

Authentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1

Web Application Security. Philippe Bogaerts

CSE 484 / CSE M 584: Computer Security and Privacy. Usable Security. Fall Franziska (Franzi) Roesner

CS 161 Computer Security

Penetration Testing with Kali Linux

Security Course. WebGoat Lab sessions

CLOUD STRIFE. Mitigating the Security Risks of Domain-Validated Certificates

SSL/TLS Server Test of grupoconsultorefe.com

PROTECTION SERVICE FOR BUSINESS. Datasheet

CHAPTER 8 CONCLUSION AND FUTURE ENHANCEMENTS

CISNTWK-440. Chapter 4 Network Vulnerabilities and Attacks

DO NOT OPEN UNTIL INSTRUCTED

SSL/TLS Server Test of

SSL/TLS Security Assessment of e-vo.ru

HTTP Digest Integrity

Drone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created

CSE 565 Computer Security Fall 2018

Quick Heal Total Security for Android. Anti-Theft Security. Web Security. Backup. Real-Time Protection. Safe Online Banking & Shopping.

EECE 412, GROUP 10 REPORT. Security Analysis on the Malicious Use of Public Wi-Fi (December 2010)

EasyCrypt passes an independent security audit

Breaking SSL Why leave to others what you can do yourself?

Man-In-The-Browser Attacks. Daniel Tomescu

Why bother? Causes of data breaches OWASP. Top ten attacks. Now what? Do it yourself Questions?

Windows 7, Enterprise Desktop Support Technician

Secure Web Appliance. SSL Intercept

Vulnerabilities in online banking applications

CSP STS PKP SRI ETC OMG WTF BBQ

Elementary Computing CSC 100. M. Cheng, Computer Science

Checklist for Testing of Web Application

Robust Defenses for Cross-Site Request Forgery

Transcription:

Can HTTP Strict Transport Security Meaningfully Help Secure the Web? nicolle neulist June 2, 2012 Security B-Sides Detroit 1

2 o hai.

3 Why Think About HTTP Strict Transport Security?

Roadmap what is HSTS? how do servers implement HSTS? how do browsers implement HSTS? what are the problems in HSTS implementation, and how can they be fixed? 4

5 What Is HTTP Strict Transport Security?

HSTS at 30,000 Feet policy mechanism used to force browsers to show a website securely. 6

The HSTS Header Strict-Transport-Security: max-age=expiretime Strict-Transport-Security: max-age=expiretime; includesubdomains 7

Things HSTS Was Designed To Address attackers who passively sniff traffic to gain cookies and credentials fake DNS server attacks faked websites via spoofed wireless frames fake sites served off of rogue wireless access points injection of code into insecurely embedded website content 8

Things HSTS Was Not Designed To Address phishing attacks browser vulnerabilities malware 9

10 How Widely Is HTTP Strict Transport Security Implemented?

How Many Sites Implement HSTS? according to SSL Labs, 12 out of 600,000 sites they found with valid SSL certificates used HSTS as of Spring 2010 in their Spring 2011 survey, this number rose to 162 out of 1.2 million sites with valid SSL certificates according to SSL Pulse, a joint project of SSL Labs and Trustworthy Internet Movement, 1,697 of the 200,000 most popular SSL-enabled sites currently use HSTS. 11

How Many Browsers Implement HSTS? Mozilla Firefox has implemented HSTS since version 4.0 Google Chrome has implemented HSTS since version 4.0.211.0 Opera has implemented HSTS since the 2.10.239 rendering engine (Opera 12.00 Beta; not available in current stable version) Internet Explorer and Safari do not support HSTS. 12

13 How Is HTTP Strict Transport Security Implemented?

What the Server Does HTTPS site sends HSTS header to let browser know to only accept that domain name, and possibly its subdomains, with SSL/TLS encryption if the user reaches HTTP version of the site instead, 301 redirect 14

What the Browser Does The First Visit User wants to see http://www.securesite.com Browser does not see www.securesite.com in its database, so it requests http://www.securesite.com Server sends 301 Permanent Redirect to https://www.securesite.com Browser requests https://www.securesite.com Server sends https://www.securesite.com content, including its HSTS header Browser saves HSTS header information about www.securesite.com 15

What The Browser Does remembering the list of HSTS sites user-level privileges in browser profile Firefox: sqlite3 database Chrome: flat text file handling max-age when user starts browser, both Firefox and Chrome check max ages and clear expired entries 16

17 What the Browser Does

18 What the Browser Does

What the Browser Does Subsequent VisitsTo Legitimate www.securesite.com Server User wants to see http://www.securesite.com Browser sees www.securesite.com in its database, so it rewrites the request to ask for https://www.securesite.com Server sends https://www.securesite.com content, including its HSTS header Browser updates HSTS header information 19

What the Browser Does What If There's An Impostor Pretending To Be The www.securesite.com Server? User wants to see http://www.securesite.com Browser sees www.securesite.com in its database, so it rewrites the request to ask for https://www.securesite.com Malicious server returns content purported to be from https://www.securesite.com, but it is plaintext, or the certificate does not match the one trusted by the browser Browser returns server error 20

21 What Are The Problems With HTTP Strict Transport Security Implementation?

First-Visit Issue HSTS provides no protection the first time a user visits the site how would the browser know about the header before it sees the header? Google Chrome has implemented a hard-coded list used to be an array in the C++ code; now a JSON dataset protect fresh installs and wiped profiles to get on the list, email the developer 22

Chrome Preloaded HSTS Issues scalability how to keep current sites on the list, and prevent denial of service if a domain stops using encryption Google may one day use an online database, like its Safe Browsing Database malicious builds...who MD5s their software, anyway? 23

Misimplementation of Subdomains users are lazy. 24

Misimplementation of Subdomains User wants to see http://www.securesite.com, but only types securesite.com into his browser User has a malicious DNS server configured, so DNS for securesite.com resolves to 10.0.0.1. Browser sends GET request to 10.0.0.1 for http://securesite.com Server at 10.0.0.1 sends malicous content passed off as http://securesite.com Browser displays spoofed http://securesite.com to User 25

Misimplementation of Subdomains User wants to see http://www.securesite.com, but only types securesite.com into his browser Browser goes to http://securesite.com Server sends 302 Found for https://securesite.com Browser requests https://securesite.com Server sends 301 Permanent Redirect to https://www.securesite.com Browser requests https://www.securesite.com Server responds with https://www.securesite.com content, including HSTS header for www.securesite.com 26

Misimplementation of Subdomains if securesite.com is just a redirect to www.securesite.com, then securesite.com needs an HSTS header. 27

HSTS Database Adulteration HSTS lists are saved in user profile no root or Administrator permissions required to change max-age, or just delete the HSTS database why is this a problem? hitting the legitimate site again will resend the header information dangerous when paired with a rogue DNS server 28

HSTS Database Adulteration clean_hsts.rb Windows Metasploit post-exploitation module clears out HSTS databases for both Firefox and Chrome installs a Windows registry key to clear out the database on boot for the user, or all users if the script has administrative privileges available at http://www.rogueclown.net/clean_hsts.rb 29

HSTS Database Adulteration how can this be fixed? Google Chrome Preloaded HSTS any other ways to get around this, given the design goal of a mechanism transparent to the user? 30

Any Questions? email: rogueclown@rogueclown.net Twitter: @rogueclown website: http://www.rogueclown.net or, just find me at the conference! 31

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback