HTTP Strict Transport Security
The HSTS Policy is communicated by the server to the user agent via an HTTPS response header
field named "Strict-Transport-Security
HSTS Policy specifies a period of time during which the user agent should only access the server in a secure fashion.
Websites using HSTS often do not accept clear text HTTP, either by rejecting connections over HTTP or systematically redirecting users to HTTPS (though this is not required by the specification). The consequence of this is that a user-agent not capable of doing TLS will not be able to connect to the site.
The protection only applies after a user has visited the site at least once, relying on the principle of Trust on first use. The way this protection works is that a user entering or selecting a URL to the site that specifies HTTP, will automatically upgrade to HTTPS, without making an HTTP request, which prevents the HTTP man-in-the-middle attack from occurring.
The HSTS specification was published as RFC 6797 on 19 November 2012 after being approved on 2 October 2012 by the IESG
for publication as a Proposed Standard RFC
The authors originally submitted it as an Internet Draft
on 17 June 2010. With the conversion to an Internet Draft, the specification name was altered from "Strict Transport Security" (STS) to "HTTP Strict Transport Security", because the specification applies only to HTTP
. The HTTP response header field defined in the HSTS specification however remains named "Strict-Transport-Security".
The last so-called "community version" of the then-named "STS" specification was published on 18 December 2009, with revisions based on community feedback.
The original draft specification by Jeff Hodges from PayPal
, Collin Jackson, and Adam Barth was published on 18 September 2009.
The HSTS specification is based on original work by Jackson and Barth as described in their paper "ForceHTTPS: Protecting High-Security Web Sites from Network Attacks".
Additionally, HSTS is the realization of one facet of an overall vision for improving web security, put forward by Jeff Hodges and Andy Steingruebl in their 2010 paper The Need for Coherent Web Security Policy Framework(s)
HSTS mechanism overview
A server implements an HSTS policy by supplying a header over an HTTPS connection (HSTS headers over HTTP are ignored).
For example, a server could send a header such that future requests to the domain for the next year (max-age is specified in seconds; 31,536,000 is equal to one non-leap year) use only HTTPS: Strict-Transport-Security: max-age=31536000
When a web application issues HSTS Policy to user agents, conformant user agents behave as follows (RFC 6797):
- Automatically turn any insecure links referencing the web application into secure links (e.g. http://example.com/some/page/ will be modified to https://example.com/some/page/before accessing the server).
- If the security of the connection cannot be ensured (e.g. the server's TLS certificate is not trusted), the user agent must terminate the connection (RFC 6797 section 8.4, Errors in Secure Transport Establishment) and should not allow the user to access the web application (section 12.1, No User Recourse).
The HSTS Policy helps protect web application users against some passive (eavesdropping
) and active network attacks
A man-in-the-middle attacker
has a greatly reduced ability to intercept requests and responses between a user and a web application server while the user's browser has HSTS Policy in effect for that web application.
The most important security vulnerability that HSTS can fix is SSL-stripping man-in-the-middle attacks
, first publicly introduced by Moxie Marlinspike
in his 2009 BlackHat Federal talk "New Tricks For Defeating SSL In Practice".
The SSL (and TLS
) stripping attack works by transparently converting a secure HTTPS
connection into a plain HTTP connection. The user can see that the connection is insecure, but crucially there is no way of knowing whether the connection should
be secure. At the time of Marlinspike's talk, many websites did not use TLS/SSL, therefore there was no way of knowing (without prior knowledge) whether the use of plain HTTP was due to an attack, or simply because the website hadn't implemented TLS/SSL. Additionally, no warnings are presented to the user during the downgrade process, making the attack fairly subtle to all but the most vigilant. Marlinspike's sslstrip tool fully automates the attack.
HSTS addresses this problem
by informing the browser that connections to the site should always use TLS/SSL. The HSTS header can be stripped by the attacker if this is the user's first visit. Google Chrome
, Mozilla Firefox
, Internet Explorer
and Microsoft Edge
attempt to limit this problem by including a "pre-loaded" list of HSTS sites.
Unfortunately this solution cannot scale to include all websites on the internet. See limitations
Because HSTS is time limited, it is sensitive to attacks involving shifting the victim's computer time e.g. using false NTP
The initial request remains unprotected from active attacks if it uses an insecure protocol such as plain HTTP or if the URI
for the initial request was obtained over an insecure channel
The same applies to the first request after the activity period specified in the advertised HSTS Policy max-age (sites should set a period of several days or months depending on user activity and behavior). Google Chrome
, Mozilla Firefox
and Internet Explorer
address this limitation by implementing a "HSTS preloaded list", which is a list that contains known sites supporting HSTS.
This list is distributed with the browser so that it uses HTTPS for the initial request to the listed sites as well. As previously mentioned, these pre-loaded lists cannot scale to cover the entire Web. A potential solution might be achieved by using DNS
records to declare HSTS Policy, and accessing them securely via DNSSEC
, optionally with certificate fingerprints to ensure validity (which requires running a validating resolver to avoid last mile
Junade Ali has noted that HSTS is ineffective against the use of phony domains; by using DNS-based attacks, it is possible for a Man-in-the-Middle interceptor to serve traffic from an artificial domain which is not on the HSTS Preload list,
this can be made possible by DNS Spoofing Attacks,
or simply a domain name that misleadingly resembles the real domain name such as www.example.org
instead of www.example.com
Even with an "HSTS preloaded list", HSTS can't prevent advanced attacks against TLS itself, such as the BEAST
attacks introduced by Juliano Rizzo and Thai Duong. Attacks against TLS itself are orthogonal
to HSTS policy enforcement. Neither can it protect against attacks on the server - if someone compromises it, it will happily serve any content over TLS.
See RFC 6797
for a discussion of overall HSTS security considerations.
HSTS can be used to near-indelibly tag visiting browsers with recoverable identifying data (supercookies
) which can persist in and out of browser "incognito
" privacy modes. By creating a web page that makes multiple HTTP requests to selected domains, for example, if twenty browser requests to twenty different domains are used, theoretically over one million visitors can be distinguished (220
) due to the resulting requests arriving via HTTP vs. HTTPS; the latter being the previously recorded binary "bits" established earlier via HSTS headers.
Deployment best practices
Depending on the actual deployment there are certain threats (e.g. cookie injection attacks) that can be avoided by following best practices.
- HSTS hosts should declare HSTS policy at their top-level domain name. For example, an HSTS host at https://sub.example.com should also answer with the HSTS header at https://example.com. The header should specify the includeSubDomains directive.
- In addition to HSTS deployment, a host for https://www.example.com should include a request to a resource from https://example.com to make sure that HSTS for the parent domain is set and protects the user from potential cookie injection attacks performed by a MITM that would inject a reference to the parent domain (or even http://nonexistentpeer.example.com), which the attacker then would answer.
- ^ a b c d "Strict-Transport-Security". MDN Web Docs. Mozilla. Retrieved 31 January 2018.
- ^ Hodges, Jeff; Jackson, Collin; Barth, Adam (November 2012). "HSTS Policy". HTTP Strict Transport Security (HSTS). IETF. doi:10.17487/RFC6797. RFC 6797. Retrieved 31 January 2018.
- ^ "[websec] Protocol Action: 'HTTP Strict Transport Security (HSTS)' to Proposed Standard (draft-ietf-websec-strict-transport-sec-14.txt)". 2 October 2012. Retrieved 2 October 2012.
- ^ Jeff Hodges (30 June 2010). "Re: [HASMAT] "STS" moniker (was: IETF BoF @IETF-78 Maastricht: HASMAT...)". Retrieved 22 July 2010.
- ^ "Strict Transport Security -06". 18 December 2009. Retrieved 23 December 2009.
- ^ "Strict Transport Security -05". 18 September 2009. Retrieved 19 November 2009.
- ^ "ForceHTTPS: Protecting High-Security Web Site from Network Attacks". April 2008. Retrieved 19 November 2009.
- ^ Hodges, Jeff; Steinguebl, Andy (29 October 2010). "The Need for Coherent Web Security Policy Framework(s)". Retrieved 21 November 2012.
- ^ Hodges, Jeff; Jackson, Collin; Barth, Adam (November 2012). "Section 5. HSTS Mechanism Overview". RFC 6797. IETF. Retrieved 21 November 2012.
- ^ a b Hodges, Jeff; Jackson, Collin; Barth, Adam (November 2012). "2.3. Threat Model". RFC 6797. IETF. Retrieved 21 November 2012.
- ^ "New Tricks For Defeating SSL In Practice"(PDF).
- ^ Defeating SSL Using Sslstrip on YouTube
- ^ a b Adam Langley (8 July 2010). "Strict Transport Security". The Chromium Projects. Retrieved 22 July 2010.
- ^ a b c David Keeler (1 November 2012). "Preloading HSTS". Mozilla Security Blog. Retrieved 6 February 2014.
- ^ a b Bell, Mike; Walp, David (16 February 2015). "HTTP Strict Transport Security comes to Internet Explorer". Retrieved 16 February 2015.
- ^ Jeff Hodges (31 October 2010). "Firesheep and HSTS (HTTP Strict Transport Security)". Retrieved 8 March 2011.
- ^ Jose Selvi (17 October 2014). "Bypassing HTTP Strict Transport Security" (PDF). Retrieved 22 October 2014.
- ^ Hodges, Jeff; Jackson, Collin; Barth, Adam (November 2012). "Section 14.6. Bootstrap MITM Vulnerability". RFC 6797. IETF. Retrieved 21 November 2012.
- ^ "Chromium HSTS Preloaded list". cs.chromium.org. Retrieved 10 July 2019.
- ^ Butcher, Simon (11 September 2011). "HTTP Strict Transport Security". Retrieved 27 March 2012.
- ^ Ali, Junade (20 October 2017). "Performing & Preventing SSL Stripping: A Plain-English Primer". Cloudflare Blog.
- ^ Maksutov, A. A.; Cherepanov, I. A.; Alekseev, M. S. (2017). 2017 Siberian Symposium on Data Science and Engineering (SSDSE). pp. 84–87. doi:10.1109/SSDSE.2017.8071970. ISBN 978-1-5386-1593-5. S2CID 44866769.
- ^ "The HSTS super cookie forcing you to choose: "privacy or security?" -". sophos.com. Retrieved 1 December 2015.
- ^ The Chromium Developers (17 November 2010). "Strict Transport Security - The Chromium Projects". Retrieved 17 November 2010.
- ^ Jeff Hodges (18 September 2009). "fyi: Strict Transport Security specification". Retrieved 19 November 2009.
- ^ Opera Software ASA (23 April 2012). "Web specifications support in Opera Presto 2.10". Retrieved 8 May 2012.
- ^ @agl__ (Adam Langley). "Confirmed. See ~/Library/Cookies/HSTS.plist. Includes Chromium preloads as of some date and processes HSTS headers". on Twitter. Retrieved 20 December 2013.
- ^ "HTTP Strict Transport Security comes to Internet Explorer 11 on Windows 8.1 and Windows 7". windows.com. Retrieved 12 June 2015.
- ^ "Internet Explorer Web Platform Status and Roadmap". Retrieved 14 April 2014.
- ^ "Project Spartan and the Windows 10 January Preview Build - IEBlog". Retrieved 23 January 2015.
- ^ Hodges; et al. "HTTP Strict Transport Security (HSTS) 6.1.2". ietf.org. Retrieved 11 November 2016.
- ^ "RFC 6797 - HTTP Strict Transport Security (HSTS)". IETF Tools. Archived from the original on 28 May 2019. Retrieved 28 May 2019.
Last edited on 11 June 2021, at 07:53
Content is available under CC BY-SA 3.0
unless otherwise noted.