HSTS (HTTP Strict Transport Security) is a security protocol that force the use of SSL in the comunication between the web browser and the web server. This standard is recently approved (2 october 2012) by the IETF, but the first draft was released in 2010 and it was implemented in some sites like Paypal, Android market, DEF CON website… The motivation of HSTS is to mitigate the SSLStrip attacks, introduced by Moxie Marlinspike in Black Hat conference 2009. SSLStrip consist in a https session hijacking, forcing a https connection becomes a normal http allowing to the attacker read all data sent from the victim. Basically it follows three steps:
- Victim establishes a HTTP connection with attacker machine.
- The attacker transforms the http traffic from the victim to https.
- The attacker establishes the https connection with the real web server.
Configuring HSTS the web server informs to the web browser that connections to the site should always use SSL. Actually the web browser that supports the HSTS headers are Google chrome from 126.96.36.199 version, Firefox from 4 version and Opera from 12 version.
HSTS has a limitation resides in the initial request from the web browser and can be exploited by an attacker, for this reason it’s important to setup a high value for the HSTS expiration value.
– Load the mod_headers module to allow modify the http headers:
# vi /etc/httpd/conf/httpd.conf
LoadModule headers_module modules/mod_headers.so
– Add in our vhost statement or in your main apache config file, the next line with an expiration of 6 months including the requests for all the subdomains:
Header add Strict-Transport-Security "max-age=15768000;includeSubDomains"
add_header Strict-Transport-Security max-age=15768000;includeSubDomains
Capturing HTTP headers from the server with tcpdump
# tcpdump -vvvs 1024 -l -A host monitor.local $p... ..HTTP/1.1 200 OK Date: Tue, 09 Oct 2012 18:33:36 GMT Server: Apache/2.2.15 (CentOS) X-Powered-By: PHP/5.3.3 Expires: Thu, 19 Nov 1981 08:52:00 GMT Last-Modified: Tue, 09 Oct 2012 18:33:36 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache P3P: CP="CAO PSA OUR" Strict-Transport-Security: max-age=15768000 Content-Length: 1468 Connection: close Content-Type: text/html; charset=UTF-8
Draft specification by the IETF: http://datatracker.ietf.org/doc/draft-ietf-websec-strict-transport-sec/