Blog

HSTS – The best way to defend SSL Stripping

Tags: ApachehstsSecuritysslssl strippingServer Management

Published on: June 8, 2016 by Anitta Jose

HSTS – The best way to defend SSL Stripping

Scenario:

What is HSTS?

HSTS is a web security policy by which the website inform the browsers that it should never load the site using HTTP but only using HTTPS protocol. This security feature helps the secure HTTPS web servers to be protected against downgrade attacks (also known as SSL stripping attacks).

SSL Stripping

Now you may be wondering about what is SSL Stripping. In simple words, SSL Strip is stripping https:// URLs and turning them into http:// URLs.

How SSL Stripping occurs: An example

Suppose that a person ‘A’ log into a free WiFi access point at an airport and start surfing the web. Meanwhile he visited his online banking service to check the balance or to pay a bill. Unfortunately, the access point which he is using is actually a hacker’s laptop (B).

Suppose A entered the url www.bank.com/online_banking, and is waiting for the response from the server (C). Here his browser (A) is connected to the attackers machine(B) hence the Attacker forwards his request and waits for the response from the bank server. Now the connection between B and C becomes secure, which means that all the traffic that is transferred between them (B & C) is through the SSL tunnel.

The server responds to this request with the login page that has the following URL: https://www.bank.com/online_banking.

At this stage, the attacker has access to the login page. Next, attacker B modifies the response from the server from https to http and sends it to victim (A), that is URL http://www.bank.com/online_banking is send to victim A.

At this point, the victim has access to the internet banking login page with an unsecure connection with the attacker. From this point onwards, all the victim’s requests go out in the Plain text format and the attacker can collect his login credentials and data.

The Server thinks it has successfully established the connection, but here the connection is established between the attacker and the server (i.e., between B & C), while the victim (A) also thinks that it is a legitimate connection.

The main problem with SSL stripping is that the browser won’t display any SSL Certificate errors and the victims have no clue that such an attack is going on.

This attack is also known as HTTP-downgrading attacks, where the connection established by the victim’s browser is downgraded from HTTPs to HTTP.

Proposed Solutions

1. Enable HSTS (HTTP Strict Transport Security)

2. Install the HTTPS Everywhere plugin for web browser. This will attempt to make all HTTP requests via TLS first and return to regular HTTP only if it fails.

Why HSTS was created?

When we try to access a site it initially loads http page and is redirected to the https page, but here the user is actually communicating with the non-encrypted version of the site before it is redirected. This gives a way for the man-in-the-middle of attack where the redirect can be used to direct this user to a malicious site instead of the secure version of the required site.

A man-in-the-middle attack is an attack where the attacker alters the communication between two parties who believe that they are directly communicating with each other. An example is SSL stripping attack.

Once the attacker has successfully redirected a user, user data including cookies, can be compromised. Unfortunately, this attack is outside the scope of pure SSL. This is why HSTS was created.

How to configure HSTS for your domain?

In order to configure HSTS, add the following line in the .htaccess file which contains the redirect rule (redirect http to https):

Strict-Transport-Security: "max-age=15552000; includeSubDomains; preload"

The configurable parameters for HSTS are as follows:

 Parameter  Purpose
 Strict-Transport-Security  Enable HSTS
 max-age  A “time to live” field for the HSTS header. A value of “0” will disable HSTS.
 includeSubDomains  Apply HSTS Policy to subdomains

Here, the max-age value is in seconds. Once a web browser has been to the site once and received the header it will remember that the site should only be accessed over HTTPS for the duration of the max-age value. It is recommended that value of max-age should be 6 months or more.

Get Dedicated Webhosting Support Team

Category : Apache, Howtos, Linux

Anitta Jose

Anitta Jose

Anitta is systems engineer since 2015 and holds broad experience in Linux, WordPress, and cPanel systems administration. Her interest lies more in Cloud technologies (AWS). From 2016, she writes blogs to share her experiences with wider audience.

You may also read:

Comments

Add new commentSIGN IN

Let's Connect

Get new updates

Categories

$0.000 items