SlideShare una empresa de Scribd logo
1 de 27
Descargar para leer sin conexión
HTTP Strict Transport Security
Michal Špaček
www.michalspacek.cz @spazef0rze
https://commons.wikimedia.org/wiki/File:Kozovazy,_Muzeum_socialistick%C3%BDch_voz%C5%AF_(13).jpg
HTTP Strict Transport Security (HSTS) provides secure transport of data, by
removing the possibility of HTTPS stripping. (These slides include added
speaker notes. Pictured above is a Czech police car from the communist era.)
When writing this talk, I've stumbled on this Czech website. It has
a lot of info about a data inbox which is used by citizens for official
communication with various Czech government departments. The
note on the top was a bit of a surprise for me. It's repeated on the
next slide.
It says "to access your data inbox, manually enter the following
HTTPS address into the address bar of your browser". I think this
is how HTML version Zero looked like, that's HTML sans HT.
HTML version ZERO
http://www.mojedatovaschranka.cz/
So I tried and entered the address into my browser. Just like any other
regular user, I forgot to type the https:// scheme at the beginning.
http://www.mojedatovaschranka.cz/
Luckily the browser did it for me. It put just http:// in and not https://
but that's fine, I'll eventually end up there. I'll be redirected, hopefully.
I guess I was not redirected. Now what? Oh, wait, let's see what does it say.
"Because of security, the data inbox portal is accessible only by using an
encrypted connection." – Cool! – "You should create a bookmark leading
directly to the secure login page at https://www.mojedatovaschranka."
– Huh, no link? – "You'll be redirected to secure login page in 10 seconds.
If you weren't click here." – Ok, finally, here's a link.
Do Not Perform Redirects from
Non-TLS Page to TLS Login Page
Seems this update your bookmarks thing comes from this obsolete
OWASP recommendation which says that you should not perform redirects
from HTTP to HTTPS login page.
This recommendation has been
removed.
Yeah, it was. Already on 2011-10-16. Now it's completely
gone from the Transport Layer Protection Cheat Sheet.
"You'll be redirected to secure login page in 10 seconds. If you weren't click
here." Before the recommendation was removed, it said that you should not
perform redirects. But the system will eventually redirect the user.
As an extra bonus, the message which says "You'll be redirected to secure login
page in 10 seconds" contains a grammatical mistake. I won't go into details,
free Czech lesson is not included in this slide deck, I'm sorry.
Browser
Badguy
Server
HTTP HTTPS
SSL STRIP
The reason for the bookmark recommendation is this. It's called the SSL Strip
attack and it's a Man-in-the-Middle type of an attack. The user wants to load a
website, so she types www.example.com without the https:// schema into the
address bar of her browser. The browser sends unencrypted request to the server,
which responds with a redirection to https://www.example.com. This initial HTTP
request can be intercepted by a bad guy who re-sends it to the server and so the
server will send the redirection response to the bad guy. He won't relay the response
but instead sends the HTTPS request himself. Server accepts the HTTPS request and
will now happily send the encrypted page back to the bad guy. He decrypts the page,
changes all the links and form actions from https:// to http:// and eventually
sends it back to the original user. She sees a page she wanted to see, the domain is
correct, too. She won't notice that the page was not loaded over an encrypted
connection, the chances are that she doesn't even know whether the page should be
loaded over HTTPS. So she puts in her username and password and submits the
form over HTTP. The bad guy will sniff the data and now has her credentials.
https://youtu.be/KKNKKbn2Tm0
in Czech with English subtitles
DEMO
H TSH TS
The idea to create a bookmark to the secure site, or not to perform redirects is
foolish. There is a better way to do it now, just use HTTP Strict Transport Security
(HSTS). HSTS is supported in Firefox and Chrome, in both since version 4, in
Microsoft Superman/Spartan/Edge, and IE 11 on Win7 and higher since June
2015. It's also supported in some other browsers.
With HSTS, the browser won't ever send the request to the website over HTTP.
Instead, it will perform internal redirection, and then will send the request over
HTTPS. This is how it looks like in Chrome DevTools. The 307 status code comes
from the browser internally, not from the server. As a user, you won't see much
difference between an HSTS-enabled site and a regular HTTPS site, though the
loading might be a bit faster because the HTTP request is not sent to the server.
Strict-Transport-Security: max-age=31536000; includeSubDomains
HSTS is an HTTP header issued by the server. After receiving an HSTS header, the
browser will perform internal redirects (no requests to server) from http:// to
https:// for the next max-age seconds. The includeSubdomains directive tells the
browser to apply HSTS policy for all the subdomains, too. Don't forget to set the
header for example.com, not just for www.example.com. Also verify that all
subdomains work over HTTPS. A max-age=0 will make the browser (Firefox-only
feature) forget the HSTS policy for the host.
TOFU
Trust-On-First-Use
The HSTS header can be sent from the server only over trusted HTTPS, the
browser must ignore the header if received over HTTP or untrusted connection. We
have to trust the network with the first HTTP request and believe that nobody will
strip the HTTP-to-HTTPS redirection. Such model is called Trust-On-First-Use.
https://www.chromium.org/hsts
PRELOAD
The TOFU model leaves the user open to a bootstrap MITM vulnerability when
the user manually enters or follows an HTTP link to an unknown HSTS host. To
protect against such vulnerability, browsers offer a so-called preload list. Once a
site is preloaded into the browser, even the very first HTTP request will be
internally redirected to HTTPS because the browser knows the HSTS policy for
the host right since the installation.
Strict-Transport-Security: max-age=…; includeSubDomains; preload
https://hstspreload.appspot.com/
To make it to the preload list you need to add a preload directive to the HSTS
header issued by your server and then submit your site manually for inclusion in
the preload list. Various versions of the list are used by Chrome, Firefox, IE/Edge,
and Tor Browser. Once preloaded there's no easy way out. You can email the list
maintainer and ask for removal but it takes a while.
max-age=60
no preload
So for testing, set your max-age low, just few minutes, and don't use preload.
Really, I mean it, otherwise somebody will submit the site for your. Verify that the
site is accessible and increase max-age to a day, then a week, then a month etc.
~3400 domains
68 .cz domains
Right now, on 2015-10-14, there's 68 Czech domains, including some major e-
commerce sites, out of roughly 3400 domains in total in the preload list. I have no
idea what happens once the list grows but right now it's tiny and will still be tiny for
few more years. The list had roughly 2000 domains 6 months ago. Once your site is
included in the preload list, it will be preloaded in the browser in one of the
upcoming versions.
No CzechNo Czech
bankbank
There's no Czech bank in the preload list as of 2015-10-14. In the Czech Republic,
there are 60 banks, savings banks, and credit unions, 13 use HSTS in the online
banking web app, 7 on corporate website. None of them in the preload list.
BANK-GRADE ENCRYPTIONBANK-GRADE ENCRYPTION
TELL ME MORE ABOUT ITTELL ME MORE ABOUT IT
A lot of companies will tell you they provide, or use bank-grade encryption, while
their HTTPS is actually set up better than what most banks have. Forget about
bank-grade and just do HTTPS properly. That is, better than the majority of banks.
NTP Man-in-the-Middle tool
https://github.com/PentesterES/Delorean
There's actually a way to circumvent the HSTS policy. The browser uses system time
to decide whether it should perform internal redirect or not. An attacker can attack
the NTP time synchronisation and adjust the system time forward one year. All
HSTS policies with max-age less than a year will then expire and it will be possible to
strip the HTTP-to-HTTPS redirection again. Regular Windows allows maximum 15
hours drift and synces once per week so it'd take some time. More in Jose Selvi's
DEF CON 23 talk Breaking SSL using time synchronisation attacks (slides, video).
Nope, just 10 weeks!
In Chrome, the preloaded entries are valid only for 10 weeks since the build time,
not forever. Google says it's to effectively actually remove entries when needed.
HSTS serves one more important feature. If there's an issue with a certificate when
connecting to an known HSTS-enabled host, the user cannot just click through the
warning. The two sites above have spoofed self-signed certificates. The site on the
right uses HSTS, so user is not allowed to visit it as there's no Proceed button.
Michal ŠpačekMichal Špaček
www.michalspacek.czwww.michalspacek.cz @spazef0rze@spazef0rze
BTW, you can use this browser extension to enforce local HSTS. It has it's own,
more extensive list of sites with HTTPS support and you can even manually add
your own favorite sites, for example your bank. Follow me on Twitter for all things
HTTPS and HSTS.

Más contenido relacionado

La actualidad más candente

BrightonSEO Sep 2015 - HTTPS | Mark Thomas
BrightonSEO Sep 2015 - HTTPS | Mark Thomas BrightonSEO Sep 2015 - HTTPS | Mark Thomas
BrightonSEO Sep 2015 - HTTPS | Mark Thomas Anna Morrison
 
The internet for SEOs by Roxana Stingu
The internet for SEOs by Roxana StinguThe internet for SEOs by Roxana Stingu
The internet for SEOs by Roxana StinguRoxana Stingu
 
Same Origin Policy Weaknesses
Same Origin Policy WeaknessesSame Origin Policy Weaknesses
Same Origin Policy Weaknesseskuza55
 
Mitigating CSRF with two lines of codes
Mitigating CSRF with two lines of codesMitigating CSRF with two lines of codes
Mitigating CSRF with two lines of codesMinhaz A V
 
WordPress Security: Defend yourself against digital invaders
WordPress Security:Defend yourself against digital invadersWordPress Security:Defend yourself against digital invaders
WordPress Security: Defend yourself against digital invadersVladimír Smitka
 
Client sidesec 2013-intro
Client sidesec 2013-introClient sidesec 2013-intro
Client sidesec 2013-introTal Be'ery
 
SEO report for phone-sex-chat.com
SEO report for phone-sex-chat.comSEO report for phone-sex-chat.com
SEO report for phone-sex-chat.comSoula Menegaki
 
JavaScript Security: Mastering Cross Domain Communications in complex JS appl...
JavaScript Security: Mastering Cross Domain Communications in complex JS appl...JavaScript Security: Mastering Cross Domain Communications in complex JS appl...
JavaScript Security: Mastering Cross Domain Communications in complex JS appl...Thomas Witt
 
Web Browsers And Other Mistakes
Web Browsers And Other MistakesWeb Browsers And Other Mistakes
Web Browsers And Other Mistakeskuza55
 
.htaccess for SEOs - A presentation by Roxana Stingu
.htaccess for SEOs - A presentation by Roxana Stingu.htaccess for SEOs - A presentation by Roxana Stingu
.htaccess for SEOs - A presentation by Roxana StinguRoxana Stingu
 
Client sidesec 2013 - non js
Client sidesec 2013 - non jsClient sidesec 2013 - non js
Client sidesec 2013 - non jsTal Be'ery
 
Chrome Dev Summit 2020 Extended: Improve Your Web Authentication Security
Chrome Dev Summit 2020 Extended:  Improve Your Web Authentication SecurityChrome Dev Summit 2020 Extended:  Improve Your Web Authentication Security
Chrome Dev Summit 2020 Extended: Improve Your Web Authentication SecurityYu-Shuan Hsieh
 
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionDrivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionWayne Huang
 
How to optimise TTFB - BrightonSEO 2020
How to optimise TTFB - BrightonSEO 2020How to optimise TTFB - BrightonSEO 2020
How to optimise TTFB - BrightonSEO 2020Roxana Stingu
 
Front end-security
Front end-securityFront end-security
Front end-securityMiao Siyu
 
Who is Afraid of Cookies?
Who is Afraid of Cookies?Who is Afraid of Cookies?
Who is Afraid of Cookies?Asaf Gery
 
Examining And Bypassing The IE8 XSS Filter
Examining And Bypassing The IE8 XSS FilterExamining And Bypassing The IE8 XSS Filter
Examining And Bypassing The IE8 XSS Filterkuza55
 
Internet protocalls & WCF/DReAM
Internet protocalls & WCF/DReAMInternet protocalls & WCF/DReAM
Internet protocalls & WCF/DReAMWoody Pewitt
 

La actualidad más candente (20)

BrightonSEO Sep 2015 - HTTPS | Mark Thomas
BrightonSEO Sep 2015 - HTTPS | Mark Thomas BrightonSEO Sep 2015 - HTTPS | Mark Thomas
BrightonSEO Sep 2015 - HTTPS | Mark Thomas
 
The internet for SEOs by Roxana Stingu
The internet for SEOs by Roxana StinguThe internet for SEOs by Roxana Stingu
The internet for SEOs by Roxana Stingu
 
Same Origin Policy Weaknesses
Same Origin Policy WeaknessesSame Origin Policy Weaknesses
Same Origin Policy Weaknesses
 
Mitigating CSRF with two lines of codes
Mitigating CSRF with two lines of codesMitigating CSRF with two lines of codes
Mitigating CSRF with two lines of codes
 
WordPress Security: Defend yourself against digital invaders
WordPress Security:Defend yourself against digital invadersWordPress Security:Defend yourself against digital invaders
WordPress Security: Defend yourself against digital invaders
 
Client sidesec 2013-intro
Client sidesec 2013-introClient sidesec 2013-intro
Client sidesec 2013-intro
 
SEO report for phone-sex-chat.com
SEO report for phone-sex-chat.comSEO report for phone-sex-chat.com
SEO report for phone-sex-chat.com
 
JavaScript Security: Mastering Cross Domain Communications in complex JS appl...
JavaScript Security: Mastering Cross Domain Communications in complex JS appl...JavaScript Security: Mastering Cross Domain Communications in complex JS appl...
JavaScript Security: Mastering Cross Domain Communications in complex JS appl...
 
Web Browsers And Other Mistakes
Web Browsers And Other MistakesWeb Browsers And Other Mistakes
Web Browsers And Other Mistakes
 
.htaccess for SEOs - A presentation by Roxana Stingu
.htaccess for SEOs - A presentation by Roxana Stingu.htaccess for SEOs - A presentation by Roxana Stingu
.htaccess for SEOs - A presentation by Roxana Stingu
 
Client sidesec 2013 - non js
Client sidesec 2013 - non jsClient sidesec 2013 - non js
Client sidesec 2013 - non js
 
Chrome Dev Summit 2020 Extended: Improve Your Web Authentication Security
Chrome Dev Summit 2020 Extended:  Improve Your Web Authentication SecurityChrome Dev Summit 2020 Extended:  Improve Your Web Authentication Security
Chrome Dev Summit 2020 Extended: Improve Your Web Authentication Security
 
Real time web
Real time webReal time web
Real time web
 
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionDrivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
 
How to optimise TTFB - BrightonSEO 2020
How to optimise TTFB - BrightonSEO 2020How to optimise TTFB - BrightonSEO 2020
How to optimise TTFB - BrightonSEO 2020
 
Front end-security
Front end-securityFront end-security
Front end-security
 
Who is Afraid of Cookies?
Who is Afraid of Cookies?Who is Afraid of Cookies?
Who is Afraid of Cookies?
 
Examining And Bypassing The IE8 XSS Filter
Examining And Bypassing The IE8 XSS FilterExamining And Bypassing The IE8 XSS Filter
Examining And Bypassing The IE8 XSS Filter
 
Internet protocalls & WCF/DReAM
Internet protocalls & WCF/DReAMInternet protocalls & WCF/DReAM
Internet protocalls & WCF/DReAM
 
Basic html tags
Basic html tagsBasic html tags
Basic html tags
 

Destacado

Defense in Depth Web Inkognito 12/2013
Defense in Depth Web Inkognito 12/2013Defense in Depth Web Inkognito 12/2013
Defense in Depth Web Inkognito 12/2013Michal Špaček
 
WebTop100 Technické chyby, výkon a bezpečnost
WebTop100 Technické chyby, výkon a bezpečnostWebTop100 Technické chyby, výkon a bezpečnost
WebTop100 Technické chyby, výkon a bezpečnostMichal Špaček
 
Bezpečnostní útoky na webové aplikace, Čtvrtkon 5
Bezpečnostní útoky na webové aplikace, Čtvrtkon 5Bezpečnostní útoky na webové aplikace, Čtvrtkon 5
Bezpečnostní útoky na webové aplikace, Čtvrtkon 5Michal Špaček
 
[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security HeadersOWASP
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headersdevObjective
 
Secure HTTP Headers c0c0n 2011 Akash Mahajan
Secure HTTP Headers c0c0n 2011 Akash MahajanSecure HTTP Headers c0c0n 2011 Akash Mahajan
Secure HTTP Headers c0c0n 2011 Akash MahajanAkash Mahajan
 
HTTP Strict Transport Security (HSTS)
HTTP Strict Transport Security (HSTS)HTTP Strict Transport Security (HSTS)
HTTP Strict Transport Security (HSTS)Michal Špaček
 
Securing your web application through HTTP headers
Securing your web application through HTTP headersSecuring your web application through HTTP headers
Securing your web application through HTTP headersAndre N. Klingsheim
 
HTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must KnowHTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must KnowAyoma Wijethunga
 
Security "for free" through HTTP headers
Security "for free" through HTTP headersSecurity "for free" through HTTP headers
Security "for free" through HTTP headersAndre N. Klingsheim
 
List of useful security related http headers
List of useful security related http headersList of useful security related http headers
List of useful security related http headers한익 주
 
Analysis of HTTP Security Headers in Turkey
Analysis of HTTP Security Headers in TurkeyAnalysis of HTTP Security Headers in Turkey
Analysis of HTTP Security Headers in TurkeyDr. Emin İslam Tatlı
 
How to secure your web applications with NGINX
How to secure your web applications with NGINXHow to secure your web applications with NGINX
How to secure your web applications with NGINXWallarm
 
Web Security - Cookies, Domains and CORS
Web Security - Cookies, Domains and CORSWeb Security - Cookies, Domains and CORS
Web Security - Cookies, Domains and CORSPerfectial, LLC
 

Destacado (15)

Defense in Depth Web Inkognito 12/2013
Defense in Depth Web Inkognito 12/2013Defense in Depth Web Inkognito 12/2013
Defense in Depth Web Inkognito 12/2013
 
WebTop100 Technické chyby, výkon a bezpečnost
WebTop100 Technické chyby, výkon a bezpečnostWebTop100 Technické chyby, výkon a bezpečnost
WebTop100 Technické chyby, výkon a bezpečnost
 
Bezpečnostní útoky na webové aplikace, Čtvrtkon 5
Bezpečnostní útoky na webové aplikace, Čtvrtkon 5Bezpečnostní útoky na webové aplikace, Čtvrtkon 5
Bezpečnostní útoky na webové aplikace, Čtvrtkon 5
 
[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headers
 
Secure HTTP Headers c0c0n 2011 Akash Mahajan
Secure HTTP Headers c0c0n 2011 Akash MahajanSecure HTTP Headers c0c0n 2011 Akash Mahajan
Secure HTTP Headers c0c0n 2011 Akash Mahajan
 
HTTP Strict Transport Security (HSTS)
HTTP Strict Transport Security (HSTS)HTTP Strict Transport Security (HSTS)
HTTP Strict Transport Security (HSTS)
 
Securing your web application through HTTP headers
Securing your web application through HTTP headersSecuring your web application through HTTP headers
Securing your web application through HTTP headers
 
HTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must KnowHTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must Know
 
Security "for free" through HTTP headers
Security "for free" through HTTP headersSecurity "for free" through HTTP headers
Security "for free" through HTTP headers
 
List of useful security related http headers
List of useful security related http headersList of useful security related http headers
List of useful security related http headers
 
Analysis of HTTP Security Headers in Turkey
Analysis of HTTP Security Headers in TurkeyAnalysis of HTTP Security Headers in Turkey
Analysis of HTTP Security Headers in Turkey
 
How to secure your web applications with NGINX
How to secure your web applications with NGINXHow to secure your web applications with NGINX
How to secure your web applications with NGINX
 
Security HTTP Headers
Security HTTP HeadersSecurity HTTP Headers
Security HTTP Headers
 
Web Security - Cookies, Domains and CORS
Web Security - Cookies, Domains and CORSWeb Security - Cookies, Domains and CORS
Web Security - Cookies, Domains and CORS
 

Similar a HTTP Strict Transport Security (HSTS), English version

Crypto workshop part 1 - Web and Crypto
Crypto workshop part 1 - Web and CryptoCrypto workshop part 1 - Web and Crypto
Crypto workshop part 1 - Web and Cryptohannob
 
HTTP vs HTTPS Difference
HTTP vs HTTPS Difference HTTP vs HTTPS Difference
HTTP vs HTTPS Difference Real Estate
 
How Does The Performance of Your Website Change With HTTP VS HTTPS?
How Does The Performance of Your Website Change With HTTP VS HTTPS?How Does The Performance of Your Website Change With HTTP VS HTTPS?
How Does The Performance of Your Website Change With HTTP VS HTTPS?CasperLAWRENCE
 
HTTPS: What, Why and How (SmashingConf Freiburg, Sep 2015)
HTTPS: What, Why and How (SmashingConf Freiburg, Sep 2015)HTTPS: What, Why and How (SmashingConf Freiburg, Sep 2015)
HTTPS: What, Why and How (SmashingConf Freiburg, Sep 2015)Guy Podjarny
 
HTTP vs HTTPS, Do You Really Need HTTPS?
HTTP vs HTTPS, Do You Really Need HTTPS?HTTP vs HTTPS, Do You Really Need HTTPS?
HTTP vs HTTPS, Do You Really Need HTTPS?CheapSSLsecurity
 
Migrating Your WordPress Site to HTTPS - Getting it right the first time Word...
Migrating Your WordPress Site to HTTPS - Getting it right the first time Word...Migrating Your WordPress Site to HTTPS - Getting it right the first time Word...
Migrating Your WordPress Site to HTTPS - Getting it right the first time Word...Paul Thompson
 
Decoding real time web communication
Decoding real time web communicationDecoding real time web communication
Decoding real time web communicationAMiT JAiN
 
Intro to advanced web development
Intro to advanced web developmentIntro to advanced web development
Intro to advanced web developmentStevie T
 
Nt1310 Final Exam Questions And Answers
Nt1310 Final Exam Questions And AnswersNt1310 Final Exam Questions And Answers
Nt1310 Final Exam Questions And AnswersLisa Williams
 
White paper screen
White paper screenWhite paper screen
White paper screeneltincho89
 
jquerySF: https://<your>
jquerySF: https://<your>jquerySF: https://<your>
jquerySF: https://<your>Emily Stark
 
QA Fest 2016. Per Thorsheim. Website security 101
QA Fest 2016. Per Thorsheim. Website security 101QA Fest 2016. Per Thorsheim. Website security 101
QA Fest 2016. Per Thorsheim. Website security 101QAFest
 
TLS - Transport Layer Security
TLS - Transport Layer SecurityTLS - Transport Layer Security
TLS - Transport Layer SecurityByronKimani
 
Discovering Heterogeneous Resources in the Internet
Discovering Heterogeneous Resources in the InternetDiscovering Heterogeneous Resources in the Internet
Discovering Heterogeneous Resources in the InternetRazzakul Chowdhury
 

Similar a HTTP Strict Transport Security (HSTS), English version (20)

Crypto workshop part 1 - Web and Crypto
Crypto workshop part 1 - Web and CryptoCrypto workshop part 1 - Web and Crypto
Crypto workshop part 1 - Web and Crypto
 
HTTP vs HTTPS Difference
HTTP vs HTTPS Difference HTTP vs HTTPS Difference
HTTP vs HTTPS Difference
 
How Does The Performance of Your Website Change With HTTP VS HTTPS?
How Does The Performance of Your Website Change With HTTP VS HTTPS?How Does The Performance of Your Website Change With HTTP VS HTTPS?
How Does The Performance of Your Website Change With HTTP VS HTTPS?
 
Study of http
Study of httpStudy of http
Study of http
 
HTTPS: What, Why and How (SmashingConf Freiburg, Sep 2015)
HTTPS: What, Why and How (SmashingConf Freiburg, Sep 2015)HTTPS: What, Why and How (SmashingConf Freiburg, Sep 2015)
HTTPS: What, Why and How (SmashingConf Freiburg, Sep 2015)
 
HTTP vs HTTPS, Do You Really Need HTTPS?
HTTP vs HTTPS, Do You Really Need HTTPS?HTTP vs HTTPS, Do You Really Need HTTPS?
HTTP vs HTTPS, Do You Really Need HTTPS?
 
Migrating Your WordPress Site to HTTPS - Getting it right the first time Word...
Migrating Your WordPress Site to HTTPS - Getting it right the first time Word...Migrating Your WordPress Site to HTTPS - Getting it right the first time Word...
Migrating Your WordPress Site to HTTPS - Getting it right the first time Word...
 
Www and http
Www and httpWww and http
Www and http
 
Decoding real time web communication
Decoding real time web communicationDecoding real time web communication
Decoding real time web communication
 
Dn11 c u3_a9_xmm
Dn11 c u3_a9_xmmDn11 c u3_a9_xmm
Dn11 c u3_a9_xmm
 
HTTP VS. HTTPS: WHICH IS BETTER??
HTTP VS. HTTPS: WHICH IS BETTER??HTTP VS. HTTPS: WHICH IS BETTER??
HTTP VS. HTTPS: WHICH IS BETTER??
 
Intro to advanced web development
Intro to advanced web developmentIntro to advanced web development
Intro to advanced web development
 
Lecture 6- http
Lecture  6- httpLecture  6- http
Lecture 6- http
 
Nt1310 Final Exam Questions And Answers
Nt1310 Final Exam Questions And AnswersNt1310 Final Exam Questions And Answers
Nt1310 Final Exam Questions And Answers
 
White paper screen
White paper screenWhite paper screen
White paper screen
 
jquerySF: https://<your>
jquerySF: https://<your>jquerySF: https://<your>
jquerySF: https://<your>
 
QA Fest 2016. Per Thorsheim. Website security 101
QA Fest 2016. Per Thorsheim. Website security 101QA Fest 2016. Per Thorsheim. Website security 101
QA Fest 2016. Per Thorsheim. Website security 101
 
TLS - Transport Layer Security
TLS - Transport Layer SecurityTLS - Transport Layer Security
TLS - Transport Layer Security
 
Discovering Heterogeneous Resources in the Internet
Discovering Heterogeneous Resources in the InternetDiscovering Heterogeneous Resources in the Internet
Discovering Heterogeneous Resources in the Internet
 
Resource Discovery Paper.PDF
Resource Discovery Paper.PDFResource Discovery Paper.PDF
Resource Discovery Paper.PDF
 

Más de Michal Špaček

Víceúrovňová obrana vysvětlená na Cross-Site Scriptingu
Víceúrovňová obrana vysvětlená na Cross-Site ScriptinguVíceúrovňová obrana vysvětlená na Cross-Site Scriptingu
Víceúrovňová obrana vysvětlená na Cross-Site ScriptinguMichal Špaček
 
Lámání a ukládání hesel
Lámání a ukládání heselLámání a ukládání hesel
Lámání a ukládání heselMichal Špaček
 
Fantom Opery, "VPN" a Secure Proxy v Opeře
Fantom Opery, "VPN" a Secure Proxy v OpeřeFantom Opery, "VPN" a Secure Proxy v Opeře
Fantom Opery, "VPN" a Secure Proxy v OpeřeMichal Špaček
 
Quality of Life, Multiple Lines of Defense
Quality of Life, Multiple Lines of DefenseQuality of Life, Multiple Lines of Defense
Quality of Life, Multiple Lines of DefenseMichal Špaček
 
Jak zlepšit zabezpečení čtvrtiny celého webu
Jak zlepšit zabezpečení čtvrtiny celého webuJak zlepšit zabezpečení čtvrtiny celého webu
Jak zlepšit zabezpečení čtvrtiny celého webuMichal Špaček
 
Disclosing password hashing policies
Disclosing password hashing policiesDisclosing password hashing policies
Disclosing password hashing policiesMichal Špaček
 
XSS PHP CSP ETC OMG WTF BBQ
XSS PHP CSP ETC OMG WTF BBQXSS PHP CSP ETC OMG WTF BBQ
XSS PHP CSP ETC OMG WTF BBQMichal Špaček
 
Bezpečnost e-shopů (HTTPS, XSS, CSP)
Bezpečnost e-shopů (HTTPS, XSS, CSP)Bezpečnost e-shopů (HTTPS, XSS, CSP)
Bezpečnost e-shopů (HTTPS, XSS, CSP)Michal Špaček
 
Poučte se z cizích chyb
Poučte se z cizích chybPoučte se z cizích chyb
Poučte se z cizích chybMichal Špaček
 
Minulé století volalo (Cross-Site Scripting + BeEF + CSP demo)
Minulé století volalo (Cross-Site Scripting + BeEF + CSP demo)Minulé století volalo (Cross-Site Scripting + BeEF + CSP demo)
Minulé století volalo (Cross-Site Scripting + BeEF + CSP demo)Michal Špaček
 
Password manažeři detailněji – 1Password, LastPass, 2FA, sdílení
Password manažeři detailněji – 1Password, LastPass, 2FA, sdíleníPassword manažeři detailněji – 1Password, LastPass, 2FA, sdílení
Password manažeři detailněji – 1Password, LastPass, 2FA, sdíleníMichal Špaček
 
Operations security (OPSEC) in IT
Operations security (OPSEC) in ITOperations security (OPSEC) in IT
Operations security (OPSEC) in ITMichal Špaček
 
HTTPS (a šifrování) všude
HTTPS (a šifrování) všudeHTTPS (a šifrování) všude
HTTPS (a šifrování) všudeMichal Špaček
 
Bezpečnost na mobilních zařízeních
Bezpečnost na mobilních zařízeníchBezpečnost na mobilních zařízeních
Bezpečnost na mobilních zařízeníchMichal Špaček
 
Základy webové bezpečnosti pro PR a marketing
Základy webové bezpečnosti pro PR a marketingZáklady webové bezpečnosti pro PR a marketing
Základy webové bezpečnosti pro PR a marketingMichal Špaček
 
I forgot my password – what a secure password reset needs to have and why
I forgot my password – what a secure password reset needs to have and whyI forgot my password – what a secure password reset needs to have and why
I forgot my password – what a secure password reset needs to have and whyMichal Špaček
 
Víte, že nevíte, že já vím, že nevíte? (WebTop100 2014)
Víte, že nevíte, že já vím, že nevíte? (WebTop100 2014)Víte, že nevíte, že já vím, že nevíte? (WebTop100 2014)
Víte, že nevíte, že já vím, že nevíte? (WebTop100 2014)Michal Špaček
 

Más de Michal Špaček (20)

Víceúrovňová obrana vysvětlená na Cross-Site Scriptingu
Víceúrovňová obrana vysvětlená na Cross-Site ScriptinguVíceúrovňová obrana vysvětlená na Cross-Site Scriptingu
Víceúrovňová obrana vysvětlená na Cross-Site Scriptingu
 
Lámání a ukládání hesel
Lámání a ukládání heselLámání a ukládání hesel
Lámání a ukládání hesel
 
Fantom Opery, "VPN" a Secure Proxy v Opeře
Fantom Opery, "VPN" a Secure Proxy v OpeřeFantom Opery, "VPN" a Secure Proxy v Opeře
Fantom Opery, "VPN" a Secure Proxy v Opeře
 
Quality of Life, Multiple Lines of Defense
Quality of Life, Multiple Lines of DefenseQuality of Life, Multiple Lines of Defense
Quality of Life, Multiple Lines of Defense
 
Jak zlepšit zabezpečení čtvrtiny celého webu
Jak zlepšit zabezpečení čtvrtiny celého webuJak zlepšit zabezpečení čtvrtiny celého webu
Jak zlepšit zabezpečení čtvrtiny celého webu
 
Medvědí služba
Medvědí službaMedvědí služba
Medvědí služba
 
Disclosing password hashing policies
Disclosing password hashing policiesDisclosing password hashing policies
Disclosing password hashing policies
 
XSS PHP CSP ETC OMG WTF BBQ
XSS PHP CSP ETC OMG WTF BBQXSS PHP CSP ETC OMG WTF BBQ
XSS PHP CSP ETC OMG WTF BBQ
 
Bezpečnost e-shopů (HTTPS, XSS, CSP)
Bezpečnost e-shopů (HTTPS, XSS, CSP)Bezpečnost e-shopů (HTTPS, XSS, CSP)
Bezpečnost e-shopů (HTTPS, XSS, CSP)
 
Poučte se z cizích chyb
Poučte se z cizích chybPoučte se z cizích chyb
Poučte se z cizích chyb
 
Minulé století volalo (Cross-Site Scripting + BeEF + CSP demo)
Minulé století volalo (Cross-Site Scripting + BeEF + CSP demo)Minulé století volalo (Cross-Site Scripting + BeEF + CSP demo)
Minulé století volalo (Cross-Site Scripting + BeEF + CSP demo)
 
Password manažeři detailněji – 1Password, LastPass, 2FA, sdílení
Password manažeři detailněji – 1Password, LastPass, 2FA, sdíleníPassword manažeři detailněji – 1Password, LastPass, 2FA, sdílení
Password manažeři detailněji – 1Password, LastPass, 2FA, sdílení
 
Operations security (OPSEC) in IT
Operations security (OPSEC) in ITOperations security (OPSEC) in IT
Operations security (OPSEC) in IT
 
HTTPS (a šifrování) všude
HTTPS (a šifrování) všudeHTTPS (a šifrování) všude
HTTPS (a šifrování) všude
 
Bezpečnost na mobilních zařízeních
Bezpečnost na mobilních zařízeníchBezpečnost na mobilních zařízeních
Bezpečnost na mobilních zařízeních
 
Základy webové bezpečnosti pro PR a marketing
Základy webové bezpečnosti pro PR a marketingZáklady webové bezpečnosti pro PR a marketing
Základy webové bezpečnosti pro PR a marketing
 
I forgot my password – what a secure password reset needs to have and why
I forgot my password – what a secure password reset needs to have and whyI forgot my password – what a secure password reset needs to have and why
I forgot my password – what a secure password reset needs to have and why
 
Hlava není na hesla
Hlava není na heslaHlava není na hesla
Hlava není na hesla
 
HTTP/2
HTTP/2HTTP/2
HTTP/2
 
Víte, že nevíte, že já vím, že nevíte? (WebTop100 2014)
Víte, že nevíte, že já vím, že nevíte? (WebTop100 2014)Víte, že nevíte, že já vím, že nevíte? (WebTop100 2014)
Víte, že nevíte, že já vím, že nevíte? (WebTop100 2014)
 

Último

LESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdf
LESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdfLESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdf
LESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdfmchristianalwyn
 
Introduction to ICANN and Fellowship program by Shreedeep Rayamajhi.pdf
Introduction to ICANN and Fellowship program  by Shreedeep Rayamajhi.pdfIntroduction to ICANN and Fellowship program  by Shreedeep Rayamajhi.pdf
Introduction to ICANN and Fellowship program by Shreedeep Rayamajhi.pdfShreedeep Rayamajhi
 
WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024
WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024
WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024Jan Löffler
 
LESSON 10/ GROUP 10/ ST. THOMAS AQUINASS
LESSON 10/ GROUP 10/ ST. THOMAS AQUINASSLESSON 10/ GROUP 10/ ST. THOMAS AQUINASS
LESSON 10/ GROUP 10/ ST. THOMAS AQUINASSlesteraporado16
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...APNIC
 
Zero-day Vulnerabilities
Zero-day VulnerabilitiesZero-day Vulnerabilities
Zero-day Vulnerabilitiesalihassaah1994
 
Computer 10 Lesson 8: Building a Website
Computer 10 Lesson 8: Building a WebsiteComputer 10 Lesson 8: Building a Website
Computer 10 Lesson 8: Building a WebsiteMavein
 
Presentation2.pptx - JoyPress Wordpress
Presentation2.pptx -  JoyPress WordpressPresentation2.pptx -  JoyPress Wordpress
Presentation2.pptx - JoyPress Wordpressssuser166378
 
Check out the Free Landing Page Hosting in 2024
Check out the Free Landing Page Hosting in 2024Check out the Free Landing Page Hosting in 2024
Check out the Free Landing Page Hosting in 2024Shubham Pant
 
TYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDS
TYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDSTYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDS
TYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDSedrianrheine
 
Vision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced Horizons
Vision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced HorizonsVision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced Horizons
Vision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced HorizonsRoxana Stingu
 
Bio Medical Waste Management Guideliness 2023 ppt.pptx
Bio Medical Waste Management Guideliness 2023 ppt.pptxBio Medical Waste Management Guideliness 2023 ppt.pptx
Bio Medical Waste Management Guideliness 2023 ppt.pptxnaveenithkrishnan
 

Último (12)

LESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdf
LESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdfLESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdf
LESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdf
 
Introduction to ICANN and Fellowship program by Shreedeep Rayamajhi.pdf
Introduction to ICANN and Fellowship program  by Shreedeep Rayamajhi.pdfIntroduction to ICANN and Fellowship program  by Shreedeep Rayamajhi.pdf
Introduction to ICANN and Fellowship program by Shreedeep Rayamajhi.pdf
 
WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024
WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024
WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024
 
LESSON 10/ GROUP 10/ ST. THOMAS AQUINASS
LESSON 10/ GROUP 10/ ST. THOMAS AQUINASSLESSON 10/ GROUP 10/ ST. THOMAS AQUINASS
LESSON 10/ GROUP 10/ ST. THOMAS AQUINASS
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
 
Zero-day Vulnerabilities
Zero-day VulnerabilitiesZero-day Vulnerabilities
Zero-day Vulnerabilities
 
Computer 10 Lesson 8: Building a Website
Computer 10 Lesson 8: Building a WebsiteComputer 10 Lesson 8: Building a Website
Computer 10 Lesson 8: Building a Website
 
Presentation2.pptx - JoyPress Wordpress
Presentation2.pptx -  JoyPress WordpressPresentation2.pptx -  JoyPress Wordpress
Presentation2.pptx - JoyPress Wordpress
 
Check out the Free Landing Page Hosting in 2024
Check out the Free Landing Page Hosting in 2024Check out the Free Landing Page Hosting in 2024
Check out the Free Landing Page Hosting in 2024
 
TYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDS
TYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDSTYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDS
TYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDS
 
Vision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced Horizons
Vision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced HorizonsVision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced Horizons
Vision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced Horizons
 
Bio Medical Waste Management Guideliness 2023 ppt.pptx
Bio Medical Waste Management Guideliness 2023 ppt.pptxBio Medical Waste Management Guideliness 2023 ppt.pptx
Bio Medical Waste Management Guideliness 2023 ppt.pptx
 

HTTP Strict Transport Security (HSTS), English version

  • 1. HTTP Strict Transport Security Michal Špaček www.michalspacek.cz @spazef0rze https://commons.wikimedia.org/wiki/File:Kozovazy,_Muzeum_socialistick%C3%BDch_voz%C5%AF_(13).jpg HTTP Strict Transport Security (HSTS) provides secure transport of data, by removing the possibility of HTTPS stripping. (These slides include added speaker notes. Pictured above is a Czech police car from the communist era.)
  • 2. When writing this talk, I've stumbled on this Czech website. It has a lot of info about a data inbox which is used by citizens for official communication with various Czech government departments. The note on the top was a bit of a surprise for me. It's repeated on the next slide.
  • 3. It says "to access your data inbox, manually enter the following HTTPS address into the address bar of your browser". I think this is how HTML version Zero looked like, that's HTML sans HT. HTML version ZERO
  • 4. http://www.mojedatovaschranka.cz/ So I tried and entered the address into my browser. Just like any other regular user, I forgot to type the https:// scheme at the beginning.
  • 5. http://www.mojedatovaschranka.cz/ Luckily the browser did it for me. It put just http:// in and not https:// but that's fine, I'll eventually end up there. I'll be redirected, hopefully.
  • 6. I guess I was not redirected. Now what? Oh, wait, let's see what does it say.
  • 7. "Because of security, the data inbox portal is accessible only by using an encrypted connection." – Cool! – "You should create a bookmark leading directly to the secure login page at https://www.mojedatovaschranka." – Huh, no link? – "You'll be redirected to secure login page in 10 seconds. If you weren't click here." – Ok, finally, here's a link.
  • 8. Do Not Perform Redirects from Non-TLS Page to TLS Login Page Seems this update your bookmarks thing comes from this obsolete OWASP recommendation which says that you should not perform redirects from HTTP to HTTPS login page.
  • 9. This recommendation has been removed. Yeah, it was. Already on 2011-10-16. Now it's completely gone from the Transport Layer Protection Cheat Sheet.
  • 10. "You'll be redirected to secure login page in 10 seconds. If you weren't click here." Before the recommendation was removed, it said that you should not perform redirects. But the system will eventually redirect the user.
  • 11. As an extra bonus, the message which says "You'll be redirected to secure login page in 10 seconds" contains a grammatical mistake. I won't go into details, free Czech lesson is not included in this slide deck, I'm sorry.
  • 12. Browser Badguy Server HTTP HTTPS SSL STRIP The reason for the bookmark recommendation is this. It's called the SSL Strip attack and it's a Man-in-the-Middle type of an attack. The user wants to load a website, so she types www.example.com without the https:// schema into the address bar of her browser. The browser sends unencrypted request to the server, which responds with a redirection to https://www.example.com. This initial HTTP request can be intercepted by a bad guy who re-sends it to the server and so the server will send the redirection response to the bad guy. He won't relay the response but instead sends the HTTPS request himself. Server accepts the HTTPS request and will now happily send the encrypted page back to the bad guy. He decrypts the page, changes all the links and form actions from https:// to http:// and eventually sends it back to the original user. She sees a page she wanted to see, the domain is correct, too. She won't notice that the page was not loaded over an encrypted connection, the chances are that she doesn't even know whether the page should be loaded over HTTPS. So she puts in her username and password and submits the form over HTTP. The bad guy will sniff the data and now has her credentials.
  • 14. H TSH TS The idea to create a bookmark to the secure site, or not to perform redirects is foolish. There is a better way to do it now, just use HTTP Strict Transport Security (HSTS). HSTS is supported in Firefox and Chrome, in both since version 4, in Microsoft Superman/Spartan/Edge, and IE 11 on Win7 and higher since June 2015. It's also supported in some other browsers.
  • 15. With HSTS, the browser won't ever send the request to the website over HTTP. Instead, it will perform internal redirection, and then will send the request over HTTPS. This is how it looks like in Chrome DevTools. The 307 status code comes from the browser internally, not from the server. As a user, you won't see much difference between an HSTS-enabled site and a regular HTTPS site, though the loading might be a bit faster because the HTTP request is not sent to the server.
  • 16. Strict-Transport-Security: max-age=31536000; includeSubDomains HSTS is an HTTP header issued by the server. After receiving an HSTS header, the browser will perform internal redirects (no requests to server) from http:// to https:// for the next max-age seconds. The includeSubdomains directive tells the browser to apply HSTS policy for all the subdomains, too. Don't forget to set the header for example.com, not just for www.example.com. Also verify that all subdomains work over HTTPS. A max-age=0 will make the browser (Firefox-only feature) forget the HSTS policy for the host.
  • 17. TOFU Trust-On-First-Use The HSTS header can be sent from the server only over trusted HTTPS, the browser must ignore the header if received over HTTP or untrusted connection. We have to trust the network with the first HTTP request and believe that nobody will strip the HTTP-to-HTTPS redirection. Such model is called Trust-On-First-Use.
  • 18. https://www.chromium.org/hsts PRELOAD The TOFU model leaves the user open to a bootstrap MITM vulnerability when the user manually enters or follows an HTTP link to an unknown HSTS host. To protect against such vulnerability, browsers offer a so-called preload list. Once a site is preloaded into the browser, even the very first HTTP request will be internally redirected to HTTPS because the browser knows the HSTS policy for the host right since the installation.
  • 19. Strict-Transport-Security: max-age=…; includeSubDomains; preload https://hstspreload.appspot.com/ To make it to the preload list you need to add a preload directive to the HSTS header issued by your server and then submit your site manually for inclusion in the preload list. Various versions of the list are used by Chrome, Firefox, IE/Edge, and Tor Browser. Once preloaded there's no easy way out. You can email the list maintainer and ask for removal but it takes a while.
  • 20. max-age=60 no preload So for testing, set your max-age low, just few minutes, and don't use preload. Really, I mean it, otherwise somebody will submit the site for your. Verify that the site is accessible and increase max-age to a day, then a week, then a month etc.
  • 21. ~3400 domains 68 .cz domains Right now, on 2015-10-14, there's 68 Czech domains, including some major e- commerce sites, out of roughly 3400 domains in total in the preload list. I have no idea what happens once the list grows but right now it's tiny and will still be tiny for few more years. The list had roughly 2000 domains 6 months ago. Once your site is included in the preload list, it will be preloaded in the browser in one of the upcoming versions.
  • 22. No CzechNo Czech bankbank There's no Czech bank in the preload list as of 2015-10-14. In the Czech Republic, there are 60 banks, savings banks, and credit unions, 13 use HSTS in the online banking web app, 7 on corporate website. None of them in the preload list.
  • 23. BANK-GRADE ENCRYPTIONBANK-GRADE ENCRYPTION TELL ME MORE ABOUT ITTELL ME MORE ABOUT IT A lot of companies will tell you they provide, or use bank-grade encryption, while their HTTPS is actually set up better than what most banks have. Forget about bank-grade and just do HTTPS properly. That is, better than the majority of banks.
  • 24. NTP Man-in-the-Middle tool https://github.com/PentesterES/Delorean There's actually a way to circumvent the HSTS policy. The browser uses system time to decide whether it should perform internal redirect or not. An attacker can attack the NTP time synchronisation and adjust the system time forward one year. All HSTS policies with max-age less than a year will then expire and it will be possible to strip the HTTP-to-HTTPS redirection again. Regular Windows allows maximum 15 hours drift and synces once per week so it'd take some time. More in Jose Selvi's DEF CON 23 talk Breaking SSL using time synchronisation attacks (slides, video).
  • 25. Nope, just 10 weeks! In Chrome, the preloaded entries are valid only for 10 weeks since the build time, not forever. Google says it's to effectively actually remove entries when needed.
  • 26. HSTS serves one more important feature. If there's an issue with a certificate when connecting to an known HSTS-enabled host, the user cannot just click through the warning. The two sites above have spoofed self-signed certificates. The site on the right uses HSTS, so user is not allowed to visit it as there's no Proceed button.
  • 27. Michal ŠpačekMichal Špaček www.michalspacek.czwww.michalspacek.cz @spazef0rze@spazef0rze BTW, you can use this browser extension to enforce local HSTS. It has it's own, more extensive list of sites with HTTPS support and you can even manually add your own favorite sites, for example your bank. Follow me on Twitter for all things HTTPS and HSTS.

Notas del editor

  1. Řeknu vám něco o HSTS, zajistí zabezpečený transport informací, pro ty, co jste byli na mé přednášce o HTTP/2, tak dobrá zpráva, až bude celý web už jen šifrovaný, tak tohle nebude potřeba.
  2. Když jsem si připravoval přednášku, tak jsem narazil na tenhle web. Je to web datových schránek a až včera jsem si všiml té věty nahoře. Já vám to zvětším takhle
  3. Přečíst Tomuhle se říká HTML verze nula. To je HTML bez HT.
  4. Zkusil jsem tedy do prohlížeče zadat adresu, která tam byla uvedená a jako každý normální člověk jsem prostě to https:// na začátku neuvedl.
  5. Browser to doplnil za mě. Doplnil sice jenom http, ne https, ale to nevadí, určitě se dostanu tam, kam chci.
  6. Ejhle, WTF?
  7. Klientský portál informačního systému datových schránek je z důvodů zabezpečení přístupný výhradně prostřednictvím šifrovaného spojení. Doporučujeme Vám, abyste si v prohlížeči vytvořili záložku směřující přímo na zabezpečenou přihlašovací stránku na adrese https://www.mojedatovaschranka.cz. OK Během 10-ti vteřin budete přesměrováni na zabezpečenou přihlašovací stránku. Pokud se tak nestalo, klikněte zde. AHA
  8. Tenhle vynález asi pochází z doporučení OWASPu, kde se říká, že nepřesměrovávejte z HTTP na přihlašovací stránku na HTTPS.
  9. No jo, jenže tohle doporučení už je stejně odstraněný 16. října 2011.
  10. Ale i kdyby tam zůstalo, tak se tam píše o tom, že se nemá přesměrovávat. Takže to mají stejně blbě, protože návštěvníka přesměrují.
  11. No a kromě toho, tahle gramatická chyba je taková symbolická třešnička na tom zkaženým dortu.
  12. Co se tou radou k vytvoření záložky snaží řešit je tenhle problém. Říká se tomu útok SSL strip. Ten funguje takto. Váš prohlížeč chce poslat požadavek na server, napíšete do browseru www bez https:// browser pošle požadavek na server, ten odpoví přesměrování na https. Ten úvodní požadavek je nešifrovaný, takže ho může zachytit mizera, přepošle ho na server, server odpoví jemu a do prohlížeče vrátí nešifrovanou stránku s přepsanými odkazy na http. Uživatel napíše jméno a heslo a browser ho nešifrovaně odešle na server, tedy vlastně mizerovi a ten ho zašifruje a pošle na server. MITM.
  13. Řešit to záložkou nebo nepřesměrováváním je pitomost. Správně je to udělat pomocí HSTS. HSTS umí Firefox i Chrome od verze 4, IE od další verze
  14. HSTS zajistí, že browser vůbec nebude posílat požadavek na HTTP, ale místo toho vygeneruje interní přesměrování a rovnou půjde na HTTPS Takto to vypadá v Chrome.
  15. HSTS je HTTP hlavička, kterou pošle server a browser pak bude interně přesměrovávat http na https po X sekund, to je to max-age. Includesubdomains pak říká, že to platí i pro všechny subdomény. Nezapomeňte tu hlavičku nastavit i pro example.com, nejenom pro www.example.com
  16. HSTS hlavička může přijít jen po HTTPS. Takže musíme věřit prvnímu požadavku. Tomu se říká TOFU.
  17. Abychom nemuseli věřit ani prvnímu požadavku, tak můžeme využít tzv. preload list. Ten se dodává rovnou s prohlížečem při instalaci a zajistí, že prohlížeč už bude od začátku vědět, že váš web je na https a rovnou bude posílat požadavky na https.
  18. Abyste se dostali do preload listu, tak musíte k HSTS hlavičce přidat preload a přidat svůj web ručně do formuláře na hstspreload. Tenhle preload list používá chrome, firefox a bude ho používat i IE. Ale jakmile tam jednou web dostanete, tak není cesty zpět, pozor na to.
  19. Proto pro testování nastave počet vteřin hodně malý, třeba pár minut a nepoužívejte preload. Fakt, nedělejte to.
  20. V aktuálním preload listu je asi 3300 domén, z toho 67 českých, slevomat, mall, alza, zdrojak. Těžko říct, jak se to bude řešit, až ten seznam trochu nabobtná, ale zatím je to v pohodě a pár let to ještě vydrží. Browsery mají trochu starší preload list.
  21. Žádná banka není v preload listu. U nás je 60 bank, 10 jich má HSTS v bankovnictví a 3 na normálním webu. Ale v preload listu není žádná.
  22. Proto jsou docela vtipná tvrzení jako třeba tohle od fakturoidu. Žádná banka nemá HTTPS udělané tak dobře, jako fakturoid. Přestaňte tyhle kraviny tvrdit a prostě to udělejte dobře. Ne tak jako většina bank.
  23. HSTS má ještě jeden důležitý úkol. Když dojde k nějaké chybě při připojování k zabezpečenému webu, tak uživateli nedovolí pokračovat. Tady je ukázka připojení, kdy útočník podvrhnul certifikát vydaný neznámou certifikační autoritou. Web vpravo podporuje HSTS.
  24. Mimochodem, nainstalujte si do browseru tohle rozšíření, díky němu se vám po HTTPS budou načítat i weby, které ho defaultně nenabízí, nebo si ho tam můžete přidat sami. Je to takové lokální HSTS.