January 27, 2017 at 15:01Caution: HSTS
About HSTS on Habré already wrote , this mechanism is included in the generator of configs for web servers from Mozilla. I decided to write this post in one day when I was faced with the inaccessibility of two large sites due to HSTS.
HSTS (HTTP Strict Transport Security) is a protection mechanism against downgrade attacks on TLS that tells the browser to always use TLS for sites with relevant policies. The standard is described in RFC6797 , and there are two types of policies:
The policy is applied from the Strict-Transport-Security HTTP header when first accessing the site via HTTPS, it indicates the validity period and applicability to subdomains:
Static policies are hardcoded to the browser and for some sites includes binding to a higher CA that issued a certificate (for example: google.com, paypal.com or torproject.org). Moreover, it can only act when the site is open via TLS, allowing an insecure connection, but blocking MitM with certificate spoofing.
The list from Chromium is used by all popular browsers (Firefox, Safari and IE 11 + Edge) and anyone can add a site to it if the web server gives a Strict-Transport-Security header with a validity period of two years and with the preload keyword at the end:
Recently, colleagues complained about the inaccessibility of some sections of the 1C site (dist.1c.ru and partweb.1c.ru). Support assured me that everything worked, my problem did not reproduce, and even for my colleagues sites were opened from all browsers except the main Chrome. He issued ERR_CONNECTION_TIMED_OUT after 20 seconds and for some reason persistently substituted HTTPS in the URL, even if the address was written entirely with HTTP.
The solution came almost immediately, as HSTS was recently mentioned in the context of corporate MitM. Googling for the keyword with the first link suggested that you can see the policy cache in chrome: // net-internals / # hsts and the guess was confirmed:
The policy included all subdomains, although many of them were only available on port 80 without TLS.
After its removal, the necessary sections began to open, by the date they were received (in unix time format), they found a page with incorrect settings in the browser history and sent a bug report to 1C.
The second site was ask.mcdonalds.ru, which opened for the first time, but Chrome still showed a warning with the familiar four-letter abbreviation and without the usual Proceed to (unsafe) button:
The error indicates that the certificate name does not match, expires or is revoked, and showing the button to open the site is expressly prohibited in the RFC. At the same time, the policy for mcdonalds.ru turned out to be static, which cannot be removed from chrome: // net-internals / # hsts.
You can get around this stub in Chrome by typing thisisunsafe (the previous magic word was badidea , and before it danger ) or by launching a browser with the key --ignore-certificate-errors .
In Firefox, click “Forge About This Site” in front of the site in history, open about: config and create a new Integer with the name “test.currentTimeOffsetSeconds” and value 11491200, and then open the site in a new tab.
Do not enable potentially hazardous functions without understanding how they work. You will get the “A” mark in the test from SSL Labs without HSTS, and you can enable it after checking all the functionality through TLS. There will be no turning back with a static sheet in the browser, so it’s better to immediately purchase a certificate with wildcard.
Chrome and Firefox support an additional protection mechanism: HTTP Public Key Pinning (HPKP) , which allows you to bind the certificate hash and send a notification to the owner if the browser comes across a certificate from a public CA for its domain with a different hash. He helped solve several incidents with public CAs, but is rarely used in practice due to the high cost of the error.
The composition of hard-coded policies in Chromium is interesting : in addition to the fast-food chain, several Mail.ru and Yandex domains, there is only UniCredit from the TOP-15 of Russian banks. There is no fashionable TKS, neither Qiwi, nor WebMoney, and dynamic policies were included only at Qiwi and for the Internet banking addresses of Binbank, ICD, Discovery, Raiffeisen and RSHB.
There is still no Telegram, but there is Whatsapp, and in the change log there are requests to delete (!) Mistakenly included sites, where for some time there was a preload in the header.
TL; DR
Carefully check the site for TLS before enabling HSTS, especially if it is a large portal with a bunch of subdomains and managed by different people.
What is HSTS?
HSTS (HTTP Strict Transport Security) is a protection mechanism against downgrade attacks on TLS that tells the browser to always use TLS for sites with relevant policies. The standard is described in RFC6797 , and there are two types of policies:
Dynamic
The policy is applied from the Strict-Transport-Security HTTP header when first accessing the site via HTTPS, it indicates the validity period and applicability to subdomains:
Strict-Transport-Security: max-age=15768000; includeSubDomains;Static
Static policies are hardcoded to the browser and for some sites includes binding to a higher CA that issued a certificate (for example: google.com, paypal.com or torproject.org). Moreover, it can only act when the site is open via TLS, allowing an insecure connection, but blocking MitM with certificate spoofing.
The list from Chromium is used by all popular browsers (Firefox, Safari and IE 11 + Edge) and anyone can add a site to it if the web server gives a Strict-Transport-Security header with a validity period of two years and with the preload keyword at the end:
Strict-Transport-Security: max-age=63072000; includeSubDomains; preloadHow to shoot yourself in the foot?
Recently, colleagues complained about the inaccessibility of some sections of the 1C site (dist.1c.ru and partweb.1c.ru). Support assured me that everything worked, my problem did not reproduce, and even for my colleagues sites were opened from all browsers except the main Chrome. He issued ERR_CONNECTION_TIMED_OUT after 20 seconds and for some reason persistently substituted HTTPS in the URL, even if the address was written entirely with HTTP.
The solution came almost immediately, as HSTS was recently mentioned in the context of corporate MitM. Googling for the keyword with the first link suggested that you can see the policy cache in chrome: // net-internals / # hsts and the guess was confirmed:
dynamic_sts_domain: 1c.ru
The Found :
static_sts_domain:
static_upgrade_mode: UNKNOWN
static_sts_include_subdomains:
static_sts_observed:
static_pkp_domain:
static_pkp_include_subdomains:
static_pkp_observed:
static_spki_hashes:
dynamic_sts_domain: 1c.ru
dynamic_upgrade_mode: STRICT
dynamic_sts_include_subdomains: to true
dynamic_sts_observed: 1485244696.197302
dynamic_pkp_domain:
dynamic_pkp_include_subdomains:
dynamic_pkp_observed:
dynamic_spki_hashes:
static_sts_domain:
static_upgrade_mode: UNKNOWN
static_sts_include_subdomains:
static_sts_observed:
static_pkp_domain:
static_pkp_include_subdomains:
static_pkp_observed:
static_spki_hashes:
dynamic_sts_domain: 1c.ru
dynamic_upgrade_mode: STRICT
dynamic_sts_include_subdomains: to true
dynamic_sts_observed: 1485244696.197302
dynamic_pkp_domain:
dynamic_pkp_include_subdomains:
dynamic_pkp_observed:
dynamic_spki_hashes:
The policy included all subdomains, although many of them were only available on port 80 without TLS.
After its removal, the necessary sections began to open, by the date they were received (in unix time format), they found a page with incorrect settings in the browser history and sent a bug report to 1C.
The second site was ask.mcdonalds.ru, which opened for the first time, but Chrome still showed a warning with the familiar four-letter abbreviation and without the usual Proceed to (unsafe) button:
ER_CERT_COMMON
The error indicates that the certificate name does not match, expires or is revoked, and showing the button to open the site is expressly prohibited in the RFC. At the same time, the policy for mcdonalds.ru turned out to be static, which cannot be removed from chrome: // net-internals / # hsts.
You can get around this stub in Chrome by typing thisisunsafe (the previous magic word was badidea , and before it danger ) or by launching a browser with the key --ignore-certificate-errors .
In Firefox, click “Forge About This Site” in front of the site in history, open about: config and create a new Integer with the name “test.currentTimeOffsetSeconds” and value 11491200, and then open the site in a new tab.
conclusions
Do not enable potentially hazardous functions without understanding how they work. You will get the “A” mark in the test from SSL Labs without HSTS, and you can enable it after checking all the functionality through TLS. There will be no turning back with a static sheet in the browser, so it’s better to immediately purchase a certificate with wildcard.
PS
Chrome and Firefox support an additional protection mechanism: HTTP Public Key Pinning (HPKP) , which allows you to bind the certificate hash and send a notification to the owner if the browser comes across a certificate from a public CA for its domain with a different hash. He helped solve several incidents with public CAs, but is rarely used in practice due to the high cost of the error.
PPS
The composition of hard-coded policies in Chromium is interesting : in addition to the fast-food chain, several Mail.ru and Yandex domains, there is only UniCredit from the TOP-15 of Russian banks. There is no fashionable TKS, neither Qiwi, nor WebMoney, and dynamic policies were included only at Qiwi and for the Internet banking addresses of Binbank, ICD, Discovery, Raiffeisen and RSHB.
There is still no Telegram, but there is Whatsapp, and in the change log there are requests to delete (!) Mistakenly included sites, where for some time there was a preload in the header.