Thursday, November 11, 2010

Protecting Yourself From Firesheep with Strict Transport Security

Strict Transport Security is a great solution to protecting against Firesheep

Now ultimately the vulnerable website is supposed to fix this issue on their side. But, let's not wait around for them. Let's fix it on our side and protect our traffic now.

Step 1: Grab a browser that supports Strict Transport Security (Firefox 4 & Google Chrome both support STS)
Step 2: Install an addon that lets you add specific STS settings - STS-UI
Step 3: Configure STS-UI for the sites you're concerned about
Step 4: Be happy your data is more secure. However, securely transmitting data is only one piece of the security pie. But at least you're good in that department.

Configuring STS-UI
Go to tools->Manager Strict Transport Security
Enter the domain name of each site you wish to protect (e.g. force Strict Transport Security upon the site). For example enter "" and select "Force subdomains too"

 After adding and it should look like this

Done. Now you will always be using HTTPS for data exchanged between twitter or facebook.

Remember, this only protects you against sites that are either already using STS or sites that you have manually added.  This really isn't a scalable approach since could be vulnerable and you wouldn't know unless you inspected the traffic going back and forth.

For those that have access to company VPNs or SSH tunnels for their traffic, I'd recommend you also use those when accessing the network from a wireless hotspot. A VPN doesn't solve the problem, but it does remove access from the likely attackers (e.g. other random users of the wireless hotspot).

-Michael Coates


  1. How do you utilize STS in Chrome? I found the extension called "KB SSL Enforcer." Would this extension allow this?

  2. How is this different from HTTPS Everywhere?

  3. I haven't looked at KB SSL Enforcer in depth, but according to the google code page the extension "Redirects you to the SSL (TLS) part of a site if available". So it sounds like it will attempt to behave similarly to STS.

    However, my concern is with the "if available" portion of the statement. Any STS-like system that fails back to HTTP is not secure. I'm imagining a scenario where the attacker is blocking the HTTPS requests and waiting for KB SSL Enforcer to fail back to the vulnerable HTTP request.

  4. HTTPS Everywhere is a Firefox add-on that is also attempting to provide the same security as Strict Transport Security. Like STS-UI, HTTPS Everywhere allows the user to impose the HTTPS requirements onto all communication with a website.

    I believe HTTPS Everywhere and STS-UI are essentially the same except that STS-UI leverages the built in STS functionality with Firefox 4 and HTTPS Everywhere has essentially written an STS functionality from scratch (with reference from the NoScript design). But, I'd be happy to hear from anyone that has more to say on HTTPS Everywhere.


Note: Only a member of this blog may post a comment.