Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Tag Archives: firefox

HTTP Strict Transport Security

If you’re a sad geek like me you’ve probably already heard of HSTS (HTTP Strict Transport Security). HSTS is designed to solve an issue where you access a web server using HTTP and are automatically redirected to the HTTPS equivalent (usually through a 301 or 302 response and a new location header).

To most this seems like a perfectly acceptable solution, until you start thinking about the Man in the Middle issues of this kind of redirection. Most users don’t type https://mybank.com after all. They just type mybank.com and expect the browser and server to sort it out themselves…. and to be honest, they should. Users shouldn’t need to understand security to BE secure. It’s something that the server architects, web designers, and programmers of the world need to get together to solve.

So, the first step in securing this hole is finally beginning to be implemented. HSTS is still a way off yet (it’s just been implemented into the Firefox 4 nightly builds, and appears to be supported in Chromium), but it’s already looking promising.

HTTP Strict Transport Security works by allowing servers to return an additional header along with their 301 or 302 redirection. This Strict-Transport-Security: header allows the server to set a max-age (and optionally an includeSubDomains parameter) which is read by a compatible browser (currently limited).

Strict-Transport-Security Header

The browser will then remember the setting and next time it’s asked to connect to the server (even if it’s entered as an http:// address) the browser will request the https:// version.

Type http:// get https://

A couple of issues:

  • An initial HTTP request still needs to be made (opening for MitM)
  • Sub-domains need to be included to ensure everything is secured (addition of the includeSubDomains parameter)
  • How is Private browsing (i.e porn mode) handled? I see 2 possibilities here:
    • HSTS info is deleted along with everything else (reduced security)
    • HSTS info is retained (secure, but breaks privacy)

I’m looking forward to HSTS being implemented across a broader range of browsers, although this is going to take a long time (IE6 has only just started to die after all). Still, anything we can do to solve part of the problem is worthwhile doing.

UPDATE: I looked briefly into the private browsing situation (at least with Firefox 4 nightly) and as I thought, it forgets the HSTS settings. Preferring privacy and protection of your visited sites over the security offered by HSTS. I guess this makes sense… Still, it renders HSTS mute for many of us who run in private browsing mode all the time (for privacy reasons!). I’d like to see an option to retain these. Maybe in the next nightly?


  • Firefox 4: HTTP Strict Transport Security (force HTTPS) –> LINK
  • Firefox nightly builds (with HSTS support) –> LINK
  • HSTS Draft –> LINK
  • Chromium Strict Transport Security –> LINK

Test Sites (sites supporting HSTS):

Firefox search add-ons for Security-Nerds™

After looking over the slidedeck from Michael “theprez98” Schearer’s Blackhat Webcast, I decided (like a lot of people I’m sure) to have a quick look at what Firefox add-ons were available to make penetration testing using the browser a little easier. My portable Firefox edition already has a number of extensions installed for the usual stuff. Things like FoxyProxy, Web Developer Toolbar, Fire/FlashBug and the SQL Inject Me, Access Me and XSS Me tools from Security Compass have been installed for a long time. They come in useful for specific tasks, even when I’m not doing Web app testing. One thing I’d not really looked at though was the possibility of adding to the search providers list (found in the upper right-hand corner).     

Firefox Search

By default the drop down list comes with your typical default options (Google, Yahoo, Wikipedia and a few others). These all nice an everything, but for what we do, they’re not always the sources we need. After all, if you know you want to search for a CVE number, the why google for it. Best to go straight to the source, and pull up the info you need quickly and efficiently. So with that in mind, here are a few nice additions to the search list in Firefox.      

CVE dictionary search plugin 

 Open Source Vulnerability Database Search

  OVAL Repository

 Packet Storm

  RFC Search Plugin

 Pcapr  search

  Exploit DB

Preview Image of Default Passwords - CIRT.net CIRT Default Password-DB

This isn’t a complete list by any means, but hopefully it’s a good start. I’ve not had a chance to run these through a transparent proxy to see the exact information being sent/received, so our mileage may vary. Use at your own risk.