HTTP Strict-Transport-Security or how to protect yourself from man-in-the-middle attacks and force the browser to always use HTTPS
Attention to detail gives rise to perfection,
perfection is no longer a trifle.
Michelangelo Buonarroti
Since 2012, new Strict Transport Transport Security (HSTS) technology has become available to web resource administrators - a mechanism that activates a forced secure connection over HTTPS. This security policy allows you to immediately establish a secure connection, instead of using HTTP. The mechanism uses a special HTTP Strict-Transport-Security header to switch a user who has logged in via HTTP to an HTTPS server [ 1 ].
HSTS aims to close the following vulnerabilities to attacks:
Turning on this technology is easier than ever; you need to return the HTTP header “Strict-Transport-Security” at the moment when he enters the site via HTTPS:
expireTime
The time in seconds for which the browser should remember that this site should be visited exclusively via HTTPS. includeSubdomains (optional)
If you specify this optional parameter, the rules also apply to all subdomains.
')
The HTTP Strict Transport Security mechanism allows the website to inform the browser that it should not use HTTP and, instead, automatically for its part convert all HTTP requests to HTTPS.
For example, you connect to an open Wi-Fi access point in a public place and open the RB of your favorite bank to check the balance and make a couple of payments. Unfortunately, the access point you are using is actually a malicious user's laptop that intercepts your HTTP requests and redirects you instead of the original bank site to a page-clone. Your data falls directly into his hands.
HSTS solves this problem. If you have at least once successfully connected to the bank's website via HTTPS using “Strict Transport Security”, the browser will automatically start using HTTS for all requests. This will prevent the possibility of man-in-the-middle attacks of the type described above.
When the timeout specified in the “Strict-Transport-Security” header expires, the next attempt to load the site via HTTP will occur as usual and automatic redirection to HTTPS will not be realized.
Whenever the “Strict-Transport-Security” header is received, the browser updates the timeout, i.e. Sites have the ability to update this information and prevent the timeout from expiring (or vice versa, for some reason, to reduce it).
Keep in mind that the max-age directive is presented in seconds. 31536000 seconds (12 months) in the examples below, m. are changed depending on how long the web server administrator intends to use the site exclusively over HTTPS. It is recommended to set the value of “max-age” to be rather large, like 31536000 (12 months) or 63072000 (24 months). [ 3 ]
perfection is no longer a trifle.
Michelangelo Buonarroti
Since 2012, new Strict Transport Transport Security (HSTS) technology has become available to web resource administrators - a mechanism that activates a forced secure connection over HTTPS. This security policy allows you to immediately establish a secure connection, instead of using HTTP. The mechanism uses a special HTTP Strict-Transport-Security header to switch a user who has logged in via HTTP to an HTTPS server [ 1 ].
HSTS aims to close the following vulnerabilities to attacks:
| The user bookmarks or types in the address bar http://example.com/ and becomes the victim of the attack "man-in-the-middle" | HSTS automatically converts HTTP requests to HTTPS for the target domain. |
| A web application that is supposed to be used strictly over HTTPS, negligently contains HTTP links or gives content over HTTP | HSTS automatically converts HTTP requests to HTTPS for the target domain. |
| The attacker man-in-the-middle tries to intercept the victim's traffic using a fake certificate in the hope that the user will not pay attention to the message about the invalid certificate. | HSTS will not allow the user to go further reports of problems with the certificate |
Strict-Transport-Security: max-age = expireTime [; includeSubdomains]
expireTime
The time in seconds for which the browser should remember that this site should be visited exclusively via HTTPS. includeSubdomains (optional)
If you specify this optional parameter, the rules also apply to all subdomains.
')
What does it give
If the website accepts HTTP connections and redirects them to HTTPS, the user can easily access the unencrypted version of the site before redirection if, for example, he types in the address bar http://example.com/ or, even easier, example.com. This opens up the potential for man-in-the-middle attacks, in which an HTTP redirect instead of the original encrypted page will send the user straight to the attacker's website.The HTTP Strict Transport Security mechanism allows the website to inform the browser that it should not use HTTP and, instead, automatically for its part convert all HTTP requests to HTTPS.
For example, you connect to an open Wi-Fi access point in a public place and open the RB of your favorite bank to check the balance and make a couple of payments. Unfortunately, the access point you are using is actually a malicious user's laptop that intercepts your HTTP requests and redirects you instead of the original bank site to a page-clone. Your data falls directly into his hands.
HSTS solves this problem. If you have at least once successfully connected to the bank's website via HTTPS using “Strict Transport Security”, the browser will automatically start using HTTS for all requests. This will prevent the possibility of man-in-the-middle attacks of the type described above.
What does the browser do
The first time when a site is visited via HTTPS and returns the “Strict Transport Security” header, the browser remembers the specified information and all further attempts to access the site via HTTP will be automatically converted to HTTPS.When the timeout specified in the “Strict-Transport-Security” header expires, the next attempt to load the site via HTTP will occur as usual and automatic redirection to HTTPS will not be realized.
Whenever the “Strict-Transport-Security” header is received, the browser updates the timeout, i.e. Sites have the ability to update this information and prevent the timeout from expiring (or vice versa, for some reason, to reduce it).
By the way: the Strict-Transport-Security header is ignored by the browser when connected via HTTP, since an attacker can intercept an HTTP connection and change the header. The browser will understand that the site is HTTPS-compatible and will properly handle the “Strict-Transport-Security” header if the site is accessed via HTTPS without error with the certificates.
Browser Support
- Chromium and Google Chrome from versions 4.0.211.0
- Firefox since version 4 [ 2 ]; with Firefox 17, Mozilla has implemented a list of websites that support HSTS.
- Opera since version 12
- Safari from OS X Mavericks
Implementation details
The “Strict-Transport-Security” headers should only be sent over HTTPS. Clients should not process HSTS headers sent in non-HTTPS responses or over HTTPS with invalid, incorrectly configured certificates. The following configuration snippets should be within the SSL context and code samples are assumed solely in the context of HTTPS responses.Keep in mind that the max-age directive is presented in seconds. 31536000 seconds (12 months) in the examples below, m. are changed depending on how long the web server administrator intends to use the site exclusively over HTTPS. It is recommended to set the value of “max-age” to be rather large, like 31536000 (12 months) or 63072000 (24 months). [ 3 ]
Apache implementation
# we load the module (on the example of RHEL / CentOS)
LoadModule headers_module modules / mod_headers.so
<VirtualHost 10.0.0.1:443>
# Secure HTTP connections
Header always set Strict-Transport-Security "max-age = 31536000; includeSubDomains"
</ Virtualhost> Implementation in nginx
add_header Strict-Transport-Security "max-age = 31536000; includeSubDomains";
Predefined HSTS sites
There is a gap in which a user with a freshly installed browser and collected settings is vulnerable. For this reason, Chrome and Firefox maintain a list of “predetermined” HSTS resources. The following domains are configured to use out-of-box HSTS:- Paypal
- Torproject
- passport.yandex.ru
For self-study:
- ru.wikipedia.org: HSTS
- developer.mozilla.org: HTTP Strict Transport Security
- en.wikipedia.org: HTTP Strict Transport Security
- dev.chromium.org: HTTP Strict Transport Security
- www.owasp.org: Top 10 2010-A9-Insufficient Transport Layer Protection
- security.stackexchange.com: HSTS?
- habrahabr.ru: All on https, safe and cheap
- habrahabr.ru: On the way to creating a secure web resource. Part 1 - server software
Source: https://habr.com/ru/post/216751/
All Articles