Can HTTP Strict Transport Security Meaningfully Help Secure the Web? nicolle neulist June 2, 2012 Security B-Sides Detroit 1
2 o hai.
3 Why Think About HTTP Strict Transport Security?
Roadmap what is HSTS? how do servers implement HSTS? how do browsers implement HSTS? what are the problems in HSTS implementation, and how can they be fixed? 4
5 What Is HTTP Strict Transport Security?
HSTS at 30,000 Feet policy mechanism used to force browsers to show a website securely. 6
The HSTS Header Strict-Transport-Security: max-age=expiretime Strict-Transport-Security: max-age=expiretime; includesubdomains 7
Things HSTS Was Designed To Address attackers who passively sniff traffic to gain cookies and credentials fake DNS server attacks faked websites via spoofed wireless frames fake sites served off of rogue wireless access points injection of code into insecurely embedded website content 8
Things HSTS Was Not Designed To Address phishing attacks browser vulnerabilities malware 9
10 How Widely Is HTTP Strict Transport Security Implemented?
How Many Sites Implement HSTS? according to SSL Labs, 12 out of 600,000 sites they found with valid SSL certificates used HSTS as of Spring 2010 in their Spring 2011 survey, this number rose to 162 out of 1.2 million sites with valid SSL certificates according to SSL Pulse, a joint project of SSL Labs and Trustworthy Internet Movement, 1,697 of the 200,000 most popular SSL-enabled sites currently use HSTS. 11
How Many Browsers Implement HSTS? Mozilla Firefox has implemented HSTS since version 4.0 Google Chrome has implemented HSTS since version 4.0.211.0 Opera has implemented HSTS since the 2.10.239 rendering engine (Opera 12.00 Beta; not available in current stable version) Internet Explorer and Safari do not support HSTS. 12
13 How Is HTTP Strict Transport Security Implemented?
What the Server Does HTTPS site sends HSTS header to let browser know to only accept that domain name, and possibly its subdomains, with SSL/TLS encryption if the user reaches HTTP version of the site instead, 301 redirect 14
What the Browser Does The First Visit User wants to see http://www.securesite.com Browser does not see www.securesite.com in its database, so it requests http://www.securesite.com Server sends 301 Permanent Redirect to https://www.securesite.com Browser requests https://www.securesite.com Server sends https://www.securesite.com content, including its HSTS header Browser saves HSTS header information about www.securesite.com 15
What The Browser Does remembering the list of HSTS sites user-level privileges in browser profile Firefox: sqlite3 database Chrome: flat text file handling max-age when user starts browser, both Firefox and Chrome check max ages and clear expired entries 16
17 What the Browser Does
18 What the Browser Does
What the Browser Does Subsequent VisitsTo Legitimate www.securesite.com Server User wants to see http://www.securesite.com Browser sees www.securesite.com in its database, so it rewrites the request to ask for https://www.securesite.com Server sends https://www.securesite.com content, including its HSTS header Browser updates HSTS header information 19
What the Browser Does What If There's An Impostor Pretending To Be The www.securesite.com Server? User wants to see http://www.securesite.com Browser sees www.securesite.com in its database, so it rewrites the request to ask for https://www.securesite.com Malicious server returns content purported to be from https://www.securesite.com, but it is plaintext, or the certificate does not match the one trusted by the browser Browser returns server error 20
21 What Are The Problems With HTTP Strict Transport Security Implementation?
First-Visit Issue HSTS provides no protection the first time a user visits the site how would the browser know about the header before it sees the header? Google Chrome has implemented a hard-coded list used to be an array in the C++ code; now a JSON dataset protect fresh installs and wiped profiles to get on the list, email the developer 22
Chrome Preloaded HSTS Issues scalability how to keep current sites on the list, and prevent denial of service if a domain stops using encryption Google may one day use an online database, like its Safe Browsing Database malicious builds...who MD5s their software, anyway? 23
Misimplementation of Subdomains users are lazy. 24
Misimplementation of Subdomains User wants to see http://www.securesite.com, but only types securesite.com into his browser User has a malicious DNS server configured, so DNS for securesite.com resolves to 10.0.0.1. Browser sends GET request to 10.0.0.1 for http://securesite.com Server at 10.0.0.1 sends malicous content passed off as http://securesite.com Browser displays spoofed http://securesite.com to User 25
Misimplementation of Subdomains User wants to see http://www.securesite.com, but only types securesite.com into his browser Browser goes to http://securesite.com Server sends 302 Found for https://securesite.com Browser requests https://securesite.com Server sends 301 Permanent Redirect to https://www.securesite.com Browser requests https://www.securesite.com Server responds with https://www.securesite.com content, including HSTS header for www.securesite.com 26
Misimplementation of Subdomains if securesite.com is just a redirect to www.securesite.com, then securesite.com needs an HSTS header. 27
HSTS Database Adulteration HSTS lists are saved in user profile no root or Administrator permissions required to change max-age, or just delete the HSTS database why is this a problem? hitting the legitimate site again will resend the header information dangerous when paired with a rogue DNS server 28
HSTS Database Adulteration clean_hsts.rb Windows Metasploit post-exploitation module clears out HSTS databases for both Firefox and Chrome installs a Windows registry key to clear out the database on boot for the user, or all users if the script has administrative privileges available at http://www.rogueclown.net/clean_hsts.rb 29
HSTS Database Adulteration how can this be fixed? Google Chrome Preloaded HSTS any other ways to get around this, given the design goal of a mechanism transparent to the user? 30
Any Questions? email: rogueclown@rogueclown.net Twitter: @rogueclown website: http://www.rogueclown.net or, just find me at the conference! 31