HTTP Strict Transport Security

Slide 1

Slide 1 text

HSTS Abraham Martin (@abraham_martinc) University of Cambridge

Slide 2

Slide 2 text

HTTP Strict Transport Security RFC 6797 November 2012

Slide 3

Slide 3 text

Browser Bank web server http://bank.com …… https://bank.com/login.html” Cookies! (Session) HTTP HTTPS

Slide 4

Slide 4 text

Browser Man in the middle http://bank.com …… https://benk.com/login.html” Certiﬁcate is valid!… …for benk.com Also, an attacker could get the cookies/session HTTP HTTPS

Slide 5

Slide 5 text

You could think… Ok, I’m secure because I have my web server conﬁgured to redirect all http calls to https.

Slide 6

Slide 6 text

Browser http://bank.com HTTP 302 Redirect to https://bank.com https://bank.com/ HTTP HTTPS Bank web server

Slide 7

Slide 7 text

Conﬁguring your web server to always redirect to HTTPS does NOT solves the problem

Slide 8

Slide 8 text

Browser Man in the middle http://bank.com HTTP 302 Redirect to https://benk.com https://benk.com/ Certiﬁcate is valid!… …for benk.com HTTP HTTPS

Slide 9

Slide 9 text

HTTP Strict Transport Security to the rescue

Slide 10

Slide 10 text

Browser http://bank.com …… https://bank.com/login.html” Header: Strict-Transport-Security Browser saves this sites as STS HTTP HTTPS Bank web server

Slide 11

Slide 11 text

Browser http://bank.com HTTP 302 Redirect to https://bank.com https://bank.com/ HTTP HTTPS Header: Strict-Transport-Security Browser saves this sites as STS Bank web server

Slide 12

Slide 12 text

Next time the user writes in their browser http://bank.com or bank.com

Slide 13

Slide 13 text

Browser http://bank.com https://bank.com Impossible man in the middle attack HTTP HTTPS Bank web server

Slide 14

Slide 14 text

Header always set Strict-Transport-Security "max- age=63072000; includeSubDomains"

Slide 15

Slide 15 text

http://caniuse.com/