Monday, July 11, 2011

Enhancing Secure Communications with Strict Transport Security

New security capabilities in Firefox, Chrome and several other browsers enable web applications to create a more secure browsing experience with users.

Summary

HTTP Strict Transport Security (HSTS) is an opt-in security enhancement that is specified by a web application through the use of a special response header.  Once a supported browser receives this header that browser will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS.


Background & Details

As an application owner one of your goals, in addition to providing an exceptional experience to the user, is to provide a secure interaction with your web application that protects any data submitted by, or sent to, the user. However, during the user's interaction with the web application the user may be targeted by malicious parties that are attempting to compromise the confidentiality or integrating of the browsing session. Their goal may be to view the sensitive data that is transmitted between the user and the application or possibly modify the exchanged data to install malicious viruses on the end user's machine or trick the user to insecurely provide their credentials so the attacker can steal this information.

The primary defense mechanism to protect data exchanged between the user and the web applications is to allow users to interact with their web application over Secure HTTP (i.e. HTTPS). When properly configured HTTPS establishes a secure channel between the user and web application which guarantees the data cannot be read, modified, or replayed by a third party.  However, there are many situations where a web application has been incorrectly designed which invalidates these guarantees and places the user at significant risk to these man-in-the-middle attackers. (See TLS Cheat Sheet)

Recent security enhancements to Firefox and Chrome now allow websites to instruct the end user's web browser that the specific website should only be accessed over HTTPS. In other words, the website now has the power to instruct the user's browser to not send any insecure communications to the website's domain.  This is accomplished by a new feature called Strict Transport Security.


Example of the HTTP Strict Transport Security header

HSTS is enabled by an additional response header set by the web application
Strict-Transport-Security: max-age=60000

HSTS Eliminates Certificate Error Messages and User Override
HSTS is a specific opt-in security control that is enabled by a website for a specific domain. By enabling this control a website is saying that the user should only interact with this domain over a secure channel and similarly, never send any data over an insecure communication channel.  Therefore, if the browser cannot validate that a secure channel has been established for any reason (e.g. expired certificate, domain mismatch, untrusted issuer) then no data will be sent by the browser and the user will receive an error page. Unlike the typical certificate error page that allows a user to accept the risk and continue, the HSTS error page does not allow a user to override the message.  The logic behind this is that the website has specifically enabled HSTS and there should be no legitimate scenario that results in an invalid certificate.

Protecting Against Users Bookmarking HTTP or Typing HTTP to Reach Site
HSTS also protects against a common scenario that places users at risk with many HTTPS websites.  A user that visits a website from a bookmark or search engine result may initially request the HTTP page for the site. Most sites will quickly redirect the user to the correct HTTPS page. However, this initial request and response is sent over clear text HTTP and could be tampered with by an attacker. If the user is not vigilant they could enter their credentials on a page that has been modified by the attacker to steal the user's information.  HSTS eliminates this vulnerability by instructing the browser to "upgrade" the initial HTTP request to HTTPS before it leaves the browser. As a result the user only interacts with the site over a secure channel and never gives the attacker a chance to tamper with any of the exchanged data.

Who Should Use HSTS?
Sites that currently offer HTTPS access should strongly consider adopting HSTS. If there is any reason for offering a secure connection then it is prudent to ensure that users are able to leverage the increased security capabilities offered by HSTS.


More Information
More information can be found at the following links. In addition, two popular sites currently using HSTS include paypal.com and addons.mozilla.org.  Check them out to see HSTS running live.

Wikipedia.org entry
 
MDN Docs for HSTS


-Michael Coates - @_mwc