The Importance of Implementing Strict Transport Security
Authors: Ronan Dunne & Anthony Caldwell
What you will learn
STS is a relatively straightforward setting to enable.
What you will know
HSTS is a necessary and sufficient protocol for sensitive web traffic.
It is clear by now that even mainstream media reports are becoming more aware of application security issues. From the point of sale malware at prominent retail outlets (Moshe, 2014) to criminal gangs amassing stolen credentials (Perlroth and Gelles, 2014), hackers are attacking everyone from Fortune 500 companies and celebrities to small business and the average user. Particularly concerning to security experts is the knowledge that most web applications are still vulnerable given that 63 percent of companies do not believe that they can stop the exfiltration of confidential information (Ponemon, 2014). This article focuses on the security of the basic transactions between web applications, whether they are wired or wireless. The importance of a secure transmission cannot be overstated given the volume and sensitivity of financial transactions, social media interactions, educational programmes and mass communications occurring each second worldwide.
What is HSTS?
Hodges, Jackson and Barth (2014) specify the mechanism by which websites may declare themselves as HTTP Strict Transport Security (HSTS). Originating with RFC 2616, which is typically used in the Transmission Control Protocol (TCP) security issues led to the development of the Secure Sockets Layer (SSL) protocol (RFC 6101) and the subsequent Transport Layer Security (TLS) (RFC 5246). STS or ‘Strict Transport Security’ requires the host to return the STS header field in its response messages sent over secure transport. In simple terms, an HSTS policy directs user agents to communicate only over secure transport and it specifies the policy retention time duration.
The HSTS threat model may be understood by considering the broad security perspectives of the passive network attack, the active network attack and the web development error. In regards to the passive network attack, the malicious actor may eavesdrop on unencrypted IP-based connections, such as HTTP, regardless of whether the local wireless network itself is secured or not. Active attacks include the impersonation of a user’s DNS server, spoofing wireless network frames etc. It is important to note that simple mistakes in the application development, such as the loading of a cascading style sheet or a Shockwave Flash (SWF) content over an insecure connection can lead to vulnerabilities. Given the prevalence of phishing attacks, the HSTS complements the existing defenses against phishing by protecting the session integrity and authentication tokens in the browser.
HSTS Header Parameters
The HSTS Header has the ability to set an expiry time using max-age and includeSubDomains.The max-age parameter governs how long the browser remembers that a particular website can only be accessed using HTTPs. The includeSubDomains parameter is optional and it specifies the enforcement of STS to all of the site's sub-domains as well.
Figure 1 The STS parameters.
Setting the HSTS Header Server-Side
It is a simple matter to enable the HSTS header on either IIS or Apache. For example, in Apache this is carried out by editing the vhosts file. Since this should only be applied to HTTPS connections, it is therefore added to the VirtualHost 443 section.
Figure 2 Code to enable HTTP Strict Transport Security for Apache.
How the browser handles HSTS
When a web application is accessed via HTTP, the HSTS header is ignored by the browser. This is because an attacker may intercept the HTTP connections and inject or remove the header. However, when a web application is accessed over HTTPS with no certificate errors, the browser interprets the application as capable HTTPS and will then enforce the Strict-Transport-Security header and any attempts to load the site using HTTP will automatically use HTTPS instead. When the expiration time specified by the Strict-Transport-Security header elapses, the next attempt to load the site via HTTP will proceed as normal instead of automatically using HTTPS. Whenever the Strict-Transport-Security header is delivered to the browser, it will update the expiration time for that site, so sites can refresh this information and prevent the timeout from expiring. For example, to protect the end-user on the client side, Chrome allows the query a domain for the HSTS header. Figure 2 below shows this by navigating to the following address: chrome://net-internals/#hsts.
Figure 2 Chrome’s net-internals HSTS query facility.
Additional functions allow the user to add and delete a domain to the HSTS set, to include sub domains for HSTS, PKP and to add a public key fingerprint.
Testing for HSTS
To observe the traffic emanating from a web application, this article refers to two common open source tools used by security professionals worldwide to detect the presence of the HSTS Header OWASP Zed Attack Proxy (or ZAP) and Burp Suite Pro. OWASP’s Zap provides passive scanner facilities which enumerate the requests and responses from web applications. Part of the passive scan policy is to look for the HSTS Header strict-transport-security (HSTS). The tool reports if the header is missing, and it is then up to the application security engineer to manually verify that this is the case. Figure 3 below shows the OWASP Zed Attack proxy tool detecting the lack of the HSTS header. The next step for the application security engineer is to find the specific requests, which are transporting sensitive information, and to inform the application developer to update the application server accordingly.
Figure 3 OWASP Zed Attack Proxy detecting the lack of the HSTS header.
Figure 4 below shows BurpSuite Pro’s ‘Additional Scanner Checks’ extension allows for the identification of a missing HSTS Header.
Figure 4 Burp Suites Additional Scanner Check Extension.
In figure 5 we can see that there is no "Strict-Transport-Security" header in the server response.
Figure 5 Burp’s Additional Scanner Check Extension.
Figure 6 The HSTS header has been set.
Man in the Middle Attack Scenario
The man in the middle attack (MitM) is quite common and typically used to steal credentials. A successful man MitM attack can harvest users’ credentials, hijack sessions, impersonate the user to gather email addresses and passwords, access messages, edit the victim’s profile and even alter or manage the victims’ pages. Among the highest profile attacks of this nature, one of the most popularized was the LinkedIn attack, where security researchers at the Bishop Fox consultancy discovered this vulnerability at LinkedIn (InfoSecurity, 2013). Essentially, LinkedIn uses HTTPS connections for user login pages, but neglected to use the HTTP Strict Transport Security (HSTS) technology which would have prevented any sensitive communications from being sent over to the HTTP, and instead sent to all communications over HTTPS.
Today, removing the SSL with tools such as Wireshark, WebSpy, SSLStrip and FireSheep is a relatively straightforward process. The traffic from web applications is searched for HTTPS links and redirects them to mapped look-alike HTTP links or homograph-similar HTTPS links (Security Ninja, 2009).
Figure 7 Wireshark, WebSpy, SSLStrip and FireSheep can be used to strip SSL from HTTPS traffic.
Figure 8 Site with noHSTS header implemented allows the user to proceed anyway and accept the risk.
When the HSTS Header is implemented, the ‘Proceed Anyway’ option is removed from the user and therefore taking the decision away from the user and carrying out a strict transport security policy which is shown in Figure 9.
Figure 9 ‘proceed anyway’ option removed due to the HSTS header therefore enable strict transport security (HSTS).
There is a straightforward process to remediate this:
- Turn on SSL
- Set secure flag on Cookie Set
- Use strict transport security (http header). Strict--‐Transport--‐Security: max--‐age=0; includeSubDomains
Today’s consumers carry out millions of sensitive downloads, uploads and transfers a second, ranging from social media updates to financial transactions. This article emphasizes the importance of enforcing HTTPS for these transactions, particularly when sensitive information is transmitted. SSL Stripping tools have the capacity to intercept and redirect the unsuspecting end-user to a malicious location, thus facilitating a man in the middle (MitM) attack. The security threat landscape is more challenging and dynamic than ever, so any technique which may potentially reduce the threats becomes critical.
Dunne, R., (2014). HTTP Strict Transport Security (HSTS). Available at http://dunnesec.com/category/attacks-defence/http-strict-transport-security-hsts/, retrieved 01/10/2014.
Gov UK, 2014. Using behavioural insights to improve the public’s use of cyber security best practices. Available at, https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/309652/14-835-cyber-security-behavioural-insights.pdf, retrieved 08/10/2014.
Hodges, J., Jackson, C. Barth, A. (2014). Internet Engineering Task Force (IETF) Request for Comments: 6797. Available at http://www.rfc-editor.org/info/rfc6797, retrieved 06/10/2014.
InfoSecurity (2013). Researchers: LinkedIn Intro is a Man-in-the-Middle Attack. Available at, http://www.infosecurity-magazine.com/news/researchers-linkedin-intro-is-a-man-in-the-middle/, retrieved 08/10/2014.
Moshe, S., (2014). Here We Go Again: From Target to Home Depot. Available at http://www.cyactive.com/go-target-home-depot/, retrieved 08/10/2014.
Perlroth N., Gelles, D., (2014). Russian Hackers Amass Over a Billion Internet Passwords. http://www.nytimes.com/2014/08/06/technology/russian-gang-said-to-amass-more-than-a-billion-stolen-internet-credentials.html?_r=3, retrieved 08/10/2014.
Ponemon (2014). Exposing the Cybersecurity Cracks: A Global Perspective. Available at, http://www.websense.com/assets/reports/report-ponemon-2014-exposing-cybersecurity-cracks-en.pdf. retrieved 03/10/2014.
Security Ninja (2009). What are homograph attacks? Available at, http://www.securityninja.co.uk/hacking/what-are-homograph-attacks/, retrieved 08/10/2014
Ronan Dunne holds a degree in Computer Security and Digital Forensics, he is SSCP certified and in the process of completing his MSc in Systems and Software Security. He is currently working as an Application Security Engineer for a Fortune 500 company.
Anthony Caldwell holds an MSc in Experimental Physics, an MPhil in Information Systems Research, and is currently engaged in PhD research in science education. He is SSCP certified and works as an application security engineer and independent security researcher. He has published work on the area of modeling user behaviour in response to cyberthreats using structural equation modeling techniques, the ZED attack proxy and web application security.