Protecting Against HSTS Abuse (opens in new tab)

(webkit.org)

191 pointsjatoben8y ago39 comments

39 comments

29 comments · 8 top-level

dmm8y ago· 10 in thread

Why don't browsers just try https first? So if I type "example.com" into the box it tries https://example.com.

Why is implementing HSTS and preserving the current behavior more useful?

HSTS is trying to protect against a specific kind of Man-in-the-Middle (MITM) attack: when the man in the middle pretends that the website you are trying to access does not support HTTPS.

I believe trying HTTPS first wouldn't help: the MITM would refuse your connection, and your browser will try HTTP after that.

With HSTS, the server tells your browser that it is going to support HTTPS for a while. Now, if your first connection to server is secure (no MITM), from now on your browser will know that this particular domain supports HTTPS. So, it will know something fishy is going on if a MITM tries to pretend otherwise.

RyanZAG8y ago

Trying HTTPS first would still help a lot in other cases, such as the one in the article. None of the super cookie HSTS techniques would have worked in the first place if the browser had just always tried to use HTTPS first.

Probably other unknown vulnerabilities could be averted by just trying HTTPS first too. Not doing so should be considered bad practice, with or without HSTS.

1 more reply

geofft8y ago

HSTS also protects external URLs; an old link to http://news.ycombinator.com gets internally rewritten to https://news.ycombinator.com without making the cleartext request. So HSTS is a more general solution.

Probably there will come a time when attempting HTTPS first instead of HTTP for manually-typed URLs without a protocol is the right default, but that's just a subset of the problem.

Buge8y ago

Couldn't dmm's proposal be used for links as well?

ATsch8y ago

Because any attacker in the middle can purposefully make the https connection fail, thereby causing all data to be sent in the clear. HSTS and hsts preload makes sure that this can not happen.

olliej8y ago

Because even today there are sites that serve different content on https vs. http -- basically they reserve https for payment and the like.

Doing https first would mean those sites were broken.

bscphil8y ago

Arguably, they already are broken. Plenty of people type in https out of habit already. If your website doesn't handle that correctly, you're in for trouble.

2 more replies

jake_the_third8y ago

That's what EFF's HTTPS Everywhere plugin does when set to strict mode.

On a related note, would strict mode thwart HSTS-based cookies?

My current understanding of this technique is that it depends on the victim being able to connect to HTTP. Since strict mode prevents the victim from making normal HTTP connections, I'm inclined to believe that strict mode does help mitigate this kind of tracking.

bcaa7f3a8bbc8y ago

I remembered a demo showing HSTS's potential tracking capabilities, and it doesn't work well if HTTPS Everywhere is enabled.

bvttf8y ago

While I'd also like https as a default, that's not going to prevent this tracking if you still respect the intent of HSTS.

If you try https first, and that fails, do you try again over http? Whether or not you'd fallback would leak the same information.

lwansbrough8y ago· 4 in thread

I think I'm missing something. Why wouldn't this attack work on, for example: bit1.com, bit2.com, bit3.com, etc.?

CydeWeys8y ago

My interpretation was that it can only be set either on the exact hostname that was loaded, or on the second level domain name that was loaded. To set it on 32 different SLDs you'd have to redirect through 32 different domains, which the user would notice.

Note that this is for the page that was loaded only, not for additional resources hosted on other hostnames.

Karliss8y ago

Redirecting 32 times could be made less obvious by opening a small popup which closes after finishing it's work. It used to be possible to open a popup in background, that would have made it almost practical.

1 more reply

netheril968y ago

Maybe because that is a little bit more expensive.

moviuro8y ago

$32 instead of $1. OK.

C4K38y ago· 3 in thread

What about websites that are on second-level domains? E.g. amazon.co.uk

Would example.amazon.co.uk then not be able to set HSTS for amazon.co.uk?

osteele8y ago

example.amazon.co.uk and amazon.co.uk are not matching domains as defined in the RFC[1] (they are not congruent).

The includeSubDomains directive[2] allows the HSTS policy set for amazon.co.uk to apply to its subdomain example.amazon.co.uk, but not vice versa.

[1] https://tools.ietf.org/html/rfc6797#section-8.2

[2] https://tools.ietf.org/html/rfc6797#page-16

gsnedders8y ago

Yes, using pubsuffix+1 instead of TLD+1 would make way more sense.

I've asked here: https://twitter.com/gsnedders/status/974765437283119104

gsnedders8y ago

Per the response it is using pubsuffix+1, and hence co.uk is treated as an effective TLD.

2 more replies

CydeWeys8y ago· 2 in thread

Greater use of HSTS preloading is also a good way for legitimate sites to prevent being affected by any sort of privacy crackdowns on HSTS. Preloading at the TLD level is ideal.

ploxiln8y ago

Preloading at the TLD level is pretty severe, will never be done for .com / .net / .org, and so will never apply to the vast majority of sites people visit. Interesting idea, but unrealistic.

CydeWeys8y ago

Yes, it can't be done retroactively, but it can be done for new TLDs that haven't launched yet.

1 more reply

nerdponx8y ago· 1 in thread

However, the internet is a wide space full of unique and amazing uses of Web Technology. If you feel that you have a legitimate case where these new rules are not working as intended, we would like to know about it. Please send feedback and questions to web-evangelist@apple.com or @webkit on Twitter, and file any bugs that you run into on WebKit’s bug tracker.

I appreciate this part. Do they actually respond to these inquiries?

saagarjha8y ago

The bug tracker and Twitter account are pretty good about responding, from what I've seen. I'm not familiar with the email.

im3w1l8y ago· 1 in thread

> We modified WebKit so that when an insecure third-party subresource load from a domain for which we block cookies (such as an invisible tracking pixel) had been upgraded to an authenticated connection because of dynamic HSTS, we ignore the HSTS upgrade request and just use the original URL.

Could someone explain this?

aiCeivi98y ago

They just assume that 3rd party shouldn't ever have a need to send "http://" link only to redirect to "https://" and are willing to stop that feature from working even if it can lead to false positives and just break some sites.

mirimir8y ago

FYI re Tor browser:[0]

> 15. HSTS and HPKP supercookies

> An extreme (but not impossible) attack to mount is the creation of HSTS supercookies. Since HSTS effectively stores one bit of information per domain name, an adversary in possession of numerous domains can use them to construct cookies based on stored HSTS state.

> HPKP provides a mechanism for user tracking across domains as well. It allows abusing the requirement to provide a backup pin and the option to report a pin validation failure. In a tracking scenario every user gets a unique SHA-256 value serving as backup pin. This value is sent back after (deliberate) pin validation failures working in fact as a cookie.

> Design Goal: HSTS and HPKP MUST be isolated to the URL bar domain.

> Implementation Status: Currently, HSTS and HPKP state is both cleared by New Identity, but we don't defend against the creation and usage of any of these supercookies between New Identity invocations.

0) https://www.torproject.org/projects/torbrowser/design/ [February 19th, 2018]

sm648y ago

I feel like I'm missing something but wouldn't this whole brouhaha be avoided by making the website 100% HTTPS and redirecting any HTTP requests to HTTPS through the server itself? This is common practice with Nginx, for example.

j / k navigate · click thread line to collapse

39 comments

29 comments · 8 top-level

dmm8y ago· 10 in thread

Why don't browsers just try https first? So if I type "example.com" into the box it tries https://example.com.

Why is implementing HSTS and preserving the current behavior more useful?

mkeyhani8y ago

HSTS is trying to protect against a specific kind of Man-in-the-Middle (MITM) attack: when the man in the middle pretends that the website you are trying to access does not support HTTPS.

I believe trying HTTPS first wouldn't help: the MITM would refuse your connection, and your browser will try HTTP after that.

RyanZAG8y ago

Probably other unknown vulnerabilities could be averted by just trying HTTPS first too. Not doing so should be considered bad practice, with or without HSTS.

1 more reply

geofft8y ago

Probably there will come a time when attempting HTTPS first instead of HTTP for manually-typed URLs without a protocol is the right default, but that's just a subset of the problem.

Buge8y ago

Couldn't dmm's proposal be used for links as well?

ATsch8y ago

Because any attacker in the middle can purposefully make the https connection fail, thereby causing all data to be sent in the clear. HSTS and hsts preload makes sure that this can not happen.

olliej8y ago

Because even today there are sites that serve different content on https vs. http -- basically they reserve https for payment and the like.

Doing https first would mean those sites were broken.

bscphil8y ago

Arguably, they already are broken. Plenty of people type in https out of habit already. If your website doesn't handle that correctly, you're in for trouble.

2 more replies

jake_the_third8y ago

That's what EFF's HTTPS Everywhere plugin does when set to strict mode.

On a related note, would strict mode thwart HSTS-based cookies?

bcaa7f3a8bbc8y ago

I remembered a demo showing HSTS's potential tracking capabilities, and it doesn't work well if HTTPS Everywhere is enabled.

bvttf8y ago

While I'd also like https as a default, that's not going to prevent this tracking if you still respect the intent of HSTS.

If you try https first, and that fails, do you try again over http? Whether or not you'd fallback would leak the same information.

lwansbrough8y ago· 4 in thread

I think I'm missing something. Why wouldn't this attack work on, for example: bit1.com, bit2.com, bit3.com, etc.?

CydeWeys8y ago

Note that this is for the page that was loaded only, not for additional resources hosted on other hostnames.

Karliss8y ago

1 more reply

netheril968y ago

Maybe because that is a little bit more expensive.

moviuro8y ago

$32 instead of $1. OK.

C4K38y ago· 3 in thread

What about websites that are on second-level domains? E.g. amazon.co.uk

Would example.amazon.co.uk then not be able to set HSTS for amazon.co.uk?

osteele8y ago

example.amazon.co.uk and amazon.co.uk are not matching domains as defined in the RFC[1] (they are not congruent).

The includeSubDomains directive[2] allows the HSTS policy set for amazon.co.uk to apply to its subdomain example.amazon.co.uk, but not vice versa.

[1] https://tools.ietf.org/html/rfc6797#section-8.2

[2] https://tools.ietf.org/html/rfc6797#page-16

gsnedders8y ago

Yes, using pubsuffix+1 instead of TLD+1 would make way more sense.

I've asked here: https://twitter.com/gsnedders/status/974765437283119104

gsnedders8y ago

Per the response it is using pubsuffix+1, and hence co.uk is treated as an effective TLD.

2 more replies

CydeWeys8y ago· 2 in thread

Greater use of HSTS preloading is also a good way for legitimate sites to prevent being affected by any sort of privacy crackdowns on HSTS. Preloading at the TLD level is ideal.

ploxiln8y ago

Preloading at the TLD level is pretty severe, will never be done for .com / .net / .org, and so will never apply to the vast majority of sites people visit. Interesting idea, but unrealistic.

CydeWeys8y ago

Yes, it can't be done retroactively, but it can be done for new TLDs that haven't launched yet.

1 more reply

nerdponx8y ago· 1 in thread

I appreciate this part. Do they actually respond to these inquiries?

saagarjha8y ago

The bug tracker and Twitter account are pretty good about responding, from what I've seen. I'm not familiar with the email.

im3w1l8y ago· 1 in thread

Could someone explain this?

aiCeivi98y ago

mirimir8y ago

FYI re Tor browser:[0]

> 15. HSTS and HPKP supercookies

> Design Goal: HSTS and HPKP MUST be isolated to the URL bar domain.

0) https://www.torproject.org/projects/torbrowser/design/ [February 19th, 2018]

sm648y ago

j / k navigate · click thread line to collapse