| After the whole website is HTTPS, if the user manually enters the HTTP address of the website, or clicks the HTTP link of the website from other places, it usually relies on the server-side 301/302 jump to use the HTTPS service. The first HTTP request may be hijacked, causing the request to fail to reach the server, thus constituting HTTPS downgrade hijacking. This problem can currently be solved through HSTS (HTTP Strict Transport Security, RFC6797). |
Introduction to HSTS
HSTS (HTTP Strict Transport Security) is an Internet security policy mechanism released by the International Internet Engineering Organization IETF. Websites that adopt the HSTS policy will ensure that the browser always connects to the HTTPS encrypted version of the website, eliminating the need for users to manually enter the encrypted address in the URL address bar to reduce the risk of session hijacking.
HSTS response header format
Strict-Transport-Security: max-age=expireTime [; includeSubDomains] [; preload]
- max-age, in seconds, is used to tell the browser that this website must be accessed through the HTTPS protocol within a specified time. That is to say, for the HTTP address of this website, the browser needs to replace it locally with HTTPS before sending the request.
- includeSubDomains, optional parameter. If this parameter is specified, it indicates that all subdomain names of this website must also be accessed through the HTTPS protocol.
- preload, optional parameter, a list of domain names built into the browser that uses HTTPS.
HSTS Preload List
Although HSTS can effectively solve HTTPS downgrade attacks, the first HTTP request before HSTS takes effect still cannot avoid being hijacked. In order to solve this problem, browser manufacturers have proposed the HSTS Preload List solution: a built-in list that can be updated regularly. For the domain names in the list, even if the user has not visited them before, the HTTPS protocol will be used.
Currently this Preload List is maintained by Google Chrome and is used by Chrome, Firefox, Safari, IE 11 and Microsoft Edge. If you want to add your domain name to this list, you first need to meet the following conditions:
- Have a legitimate certificate (if a SHA-1 certificate is used, the expiration date must be earlier than 2016);
- Redirect all HTTP traffic to HTTPS;
- Make sure all subdomains have HTTPS enabled;
- Output HSTS response header:
- max-age cannot be less than 18 weeks (10886400 seconds);
- The includeSubdomains parameter must be specified;
- The preload parameter must be specified;
Even if all the above conditions are met, you may not be able to enter the HSTS Preload List.
Through Chrome's chrome://net-internals/#hsts tool, you can check whether a website is in the Preload List, and you can also manually add a domain name to the local Preload List.
HSTS Disadvantages
HSTS is not a perfect solution for HTTP session hijacking. The first time a user visits a website is not protected by HSTS. This is because when accessing for the first time, the browser has not yet received HSTS, so it is still possible to access through plaintext HTTP.
If a user accesses a HSTS-protected website through HTTP, downgrade hijacking may occur in the following situations:
- Never visited this site before
- Recently reinstalled its operating system
- Recently reinstalled their browser
- Switch to a new browser
- Switch to a new device, such as a mobile phone
- Delete browser cache
- The site has not been visited recently and the max-age has expired.
There are currently two solutions to this problem:
Solution 1: Preset the HSTS domain name list in the browser, which is the HSTS Preload List solution mentioned above. This list of domain names is distributed and hard-coded into major web browsers. Clients accessing domain names in this list will actively use HTTPS and deny access to the site using HTTP.
Solution 2: Add HSTS information to the domain name system record. But this requires ensuring the security of DNS, which means deploying domain name system security extensions.
Other possible problems
Since HSTS will expire after a certain period of time (the validity period is specified by max-age), whether the browser forces the HSTS policy depends on the current system time. Most operating systems often update the system time through the Network Time Protocol. For example, every time Ubuntu connects to the network, OS X Lion automatically connects to the time server every 9 minutes. An attacker can bypass HSTS by forging NTP information and setting incorrect time.
The solution is to authenticate NTP information or prohibit NTP from greatly increasing or decreasing the time. For example: Windows 8 updates the time every 7 days, and requires that the time set by NTP each time should not exceed 15 hours from the current time.
Support HSTS browser
At present, mainstream browsers already support the HSTS feature. For details, please refer to the following list:
- Google Chrome 4 and above
- Firefox 4 and above
- Opera 12 and above
- Safari starting with OS X Mavericks
- Internet Explorer and above
HSTS deployment
The method for the server to enable HSTS is: when the client makes a request through HTTPS, the Hypertext Transfer Protocol response header returned by the server includes the Strict-Transport-Security field. The HSTS field set during non-encrypted transmission is invalid.
The best deployment solution is to deploy it at the location closest to the user. For example, if the architecture has a front-end reverse proxy and a back-end Web server, it is best to configure HSTS at the front-end proxy. Otherwise, you need to configure HSTS at the Web server layer. If the web server does not explicitly support HSTS, a mechanism can be used to add response headers. If all else fails, HSTS can be added at the application layer.
Enabling HSTS is relatively simple, just add the following information to the corresponding header:
Strict-Transport-Security: max-age=63072000; includeSubdomains;preload;
Strict-Transport-Security is the header field name, and max-age represents the effective time of HSTS on the client. includeSubdomains means it takes effect on all subdomains. preload uses the browser's built-in domain name list.
The HSTS policy can only be set in the HTTPS response, and the website must use the default port 443; it must use a domain name, not an IP. Therefore, HTTP needs to be redirected to HTTPS. If the HSTS header is allowed to be set in the plaintext response, a man-in-the-middle attacker can perform a DoS attack by injecting HSTS information into a normal site.
Enable HSTS on Apache
$ vim /etc/apache2/sites-available/hi-linux.conf # To enable HSTS, you need to enable the headers module LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so <VirtualHost *:80> ServerName www.hi-linux.com ServerAlias hi-linux.com ... #Redirect all visitors to HTTPS to solve the problem of HSTS first access. RedirectPermanent / https://www.hi-linux.com/ </VirtualHost> <VirtualHost 0.0.0.0:443> ... # Enable HTTP strict transport security Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" ... </VirtualHost>
Restart the Apache service
$ service apche2 restart
Enable HSTS on Nginx
$ vim /etc/nginx/conf.d/hi-linux.conf
server {
listen 443 ssl;
server_name www.hi-linux.com;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
...
}
server {
listen 80;
server_name www.hi-linux.com;
return 301 https://www.hi-linux.com$request_uri;
...
}
Restart Nginx service
$ service nginx restart
IIS enable HSTS
To enable HSTS on IIS, a third-party module is required.
After the setting is completed, you can use the curl command to verify whether the setting is successful. If the result contains the Strict-Transport-Security field, then the setting is successful.
$ curl -I https://www.hi-linux.com HTTP/1.1 200 OK Server: nginx Date: Sat, 27 May 2017 03:52:19 GMT Content-Type: text/html; charset=utf-8 ... Strict-Transport-Security: max-age=63072000; includeSubDomains; preload X-Frame-Options: deny X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff ...
For HSTS and HSTS Preload List, the recommendation is not to enable it as long as it cannot ensure that the HTTPS service will always be provided. Because once HSTS takes effect, old users will be redirected to HTTPS before max-age expires, causing the website to be unable to be accessed correctly. The only way is to change the domain name.