HTTP Strict Transport Security

Transcript

1. HSTS Abraham Martin (@abraham_martinc) University of Cambridge

2. HTTP Strict Transport Security RFC 6797 November 2012

3. Browser Bank web server http://bank.com …<a href=“https://bank.com/login.html”>… https://bank.com/login.html” Cookies! (Session)

   HTTP HTTPS

4. Browser Man in the middle http://bank.com …<a href=“https://benk.com/login.html”>… https://benk.com/login.html” Certificate

   is valid!… …for benk.com Also, an attacker could get the cookies/session HTTP HTTPS

5. You could think… Ok, I’m secure because I have my

   web server configured to redirect all http calls to https.

6. Browser http://bank.com HTTP 302 Redirect to https://bank.com https://bank.com/ HTTP HTTPS

   Bank web server

7. Configuring your web server to always redirect to HTTPS does

   NOT solves the problem

8. Browser Man in the middle http://bank.com HTTP 302 Redirect to

   https://benk.com https://benk.com/ Certificate is valid!… …for benk.com HTTP HTTPS

9. HTTP Strict Transport Security to the rescue

10. Browser http://bank.com …<a href=“https://bank.com/login.html”>… https://bank.com/login.html” Header: Strict-Transport-Security Browser saves this

    sites as STS HTTP HTTPS Bank web server

11. Browser http://bank.com HTTP 302 Redirect to https://bank.com https://bank.com/ HTTP HTTPS

    Header: Strict-Transport-Security Browser saves this sites as STS Bank web server

12. Next time the user writes in their browser http://bank.com or

    bank.com

13. Browser http://bank.com https://bank.com Impossible man in the middle attack HTTP

    HTTPS Bank web server

14. Header always set Strict-Transport-Security "max- age=63072000; includeSubDomains"

15. http://caniuse.com/