Cатсн²² (in)sесuяitу / ChrisJohnRiley

If you’re a sad geek like me you’ve probably already heard of HSTS (HTTP Strict Transport Security). HSTS is designed to solve an issue where you access a web server using HTTP and are automatically redirected to the HTTPS equivalent (usually through a 301 or 302 response and a new location header).

To most this seems like a perfectly acceptable solution, until you start thinking about the Man in the Middle issues of this kind of redirection. Most users don’t type https://mybank.com after all. They just type mybank.com and expect the browser and server to sort it out themselves…. and to be honest, they should. Users shouldn’t need to understand security to BE secure. It’s something that the server architects, web designers, and programmers of the world need to get together to solve.

So, the first step in securing this hole is finally beginning to be implemented. HSTS is still a way off yet (it’s just been implemented into the Firefox 4 nightly builds, and appears to be supported in Chromium), but it’s already looking promising.

HTTP Strict Transport Security works by allowing servers to return an additional header along with their 301 or 302 redirection. This Strict-Transport-Security: header allows the server to set a max-age (and optionally an includeSubDomains parameter) which is read by a compatible browser (currently limited).

Strict-Transport-Security Header

The browser will then remember the setting and next time it’s asked to connect to the server (even if it’s entered as an http:// address) the browser will request the https:// version.

Type http:// get https://

A couple of issues:

• An initial HTTP request still needs to be made (opening for MitM)
• Sub-domains need to be included to ensure everything is secured (addition of the includeSubDomains parameter)
• How is Private browsing (i.e porn mode) handled? I see 2 possibilities here:
  • HSTS info is deleted along with everything else (reduced security)
  • HSTS info is retained (secure, but breaks privacy)

I’m looking forward to HSTS being implemented across a broader range of browsers, although this is going to take a long time (IE6 has only just started to die after all). Still, anything we can do to solve part of the problem is worthwhile doing.

UPDATE: I looked briefly into the private browsing situation (at least with Firefox 4 nightly) and as I thought, it forgets the HSTS settings. Preferring privacy and protection of your visited sites over the security offered by HSTS. I guess this makes sense… Still, it renders HSTS mute for many of us who run in private browsing mode all the time (for privacy reasons!). I’d like to see an option to retain these. Maybe in the next nightly?

Links:

• Firefox 4: HTTP Strict Transport Security (force HTTPS) –> LINK
• Firefox nightly builds (with HSTS support) –> LINK
• HSTS Draft –> LINK
• Chromium Strict Transport Security –> LINK

Test Sites (sites supporting HSTS):

• http://www.paypal.com
• http://www.ssllabs.com
• http://www.defcon.org
• http://www.elanex.biz
• jottit.com
• sunshinepress.org
• http://www.noisebridge.net