Hacker News new | comments | ask | show | jobs | submit login

HSTS will one day be remembered as the HTTPS version of SMS 2nd auth: A bad hack with good intentions. Sure, it can have some positive effect in the short term, but there are so many ways to subvert it that as its popularity grows, so will the attacks.

I'm interested in what these attacks are and what you think would be better. Especially with HSTS preloading (supported in Chrome, Firefox, IE, and Edge) I don't see any attacks really.

Potential security considerations identified by the authors of HSTS are manyfold [1]. The most obvious is (14.6) 'Bootstrap MITM Vulnerability' states that since a non-preloaded site's initial contact will be through a non-secure channel, a man-in-the-middle can tamper with the response and never set a HSTS policy, or set an intentionally misconfigured HSTS policy. Preload is designed to mitigate against this, but preloading every single website is... difficult.

[1] https://tools.ietf.org/html/rfc6797#section-14

You can't set a misconfigured policy over http, it needs to be HTTPS with a valid CA.

That's not entirely clear from the spec. Per section 11.3 [1], if HTST policy is enabled with a self-signed cert, then "then secure connections to that site will fail, per the HSTS design".

In my reading, it doesn't say that a compliant user-agent must not set HSTS policies for self-signed certs; rather, it says a compliant user-agent will show an un-remediable error upon attempt to visit the website.

[1] https://tools.ietf.org/html/rfc6797#section-11.3

Regardless of spec, none of the major browsers accept HSTS policies from sites with self-signed certs.

> Especially with HSTS preloading

HSTS preloading is just distorting the market towards the already large sites.

A smaller site now will get ads injected by your ISP, but their larger competitor doesn’t.

Yet, you obviously can’t add every single private blog to the preloading list.

I tried getting my personal blog added, it’s just impossible.

So your solution is only good for the already huge websites.

What’s with democratizing the internet, giving every single personal blog the same tools as every huge site?

I tried getting my personal blog added, it’s just impossible.

Why? https://hstspreload.appspot.com/ didn't work?

Last I tried was a few years ago when that didn’t exist, nice that it does exist now.

I wonder what will happen once the preload lists are several billion pages long?

Hopefully by that time we've reached the point where we can deprecate HTTP without TLS and show appropriate warnings in browsers.

> I tried getting my personal blog added, it’s just impossible.

I got my personal blog, which gets less than 100 unique visitors a month, added with no problems at all.

I wanted to edit, but can’t edit anymore, and couldn’t answer comments due to the comment limit until now, but here it is:

Last I tried was a few years ago, when the official stance was "only the top 100 will be added".

1. Target a Windows user older than Windows 7, or any version of IE older than 11, since HSTS is not supported there (RFC section 14.2)

2. Bootstrap MITM vulnerability (RFC section 14.6)

3. NTP attacks (RFC section 14.7) [1]

4. Send RSTs on all HTTPS traffic. Eventually the user will get fed up with the website not working and try plain HTTP on a different browser/client which doesn't have the HSTS policy cached.

4.1. After the new client connects, force some kind of error or warning on the connection, but still allow it to continue, and use SSL stripping for any initial plaintext connections. HSTS will not be set if any warnings or errors are found on the connection. (RFC section 14.3)

5. Phishing: Send non-secure URLs to your target with instructions that if the connection fails, try the same non-secure link on a different browser. (It may be easier to just register a fake-but-similar-sounding domain and give it a valid cert, and send links to that)

5.1. Phishing with a non-secure root domain cert (RFC section 14.8)

6. Develop a method to determine when a client's policy will expire - or just wait - and wait to attack the moment of the next request, which will [potentially] be in plain HTTP.

7. Invalid configuration, such as forgetting to include the 'includeSubDomains' flag.

8. Internationalized domain names (RFC section 14.10)

Pre-loaded HSTS lists are affected with some of the above attacks, and public-key lists are affected eventually because eventually you need to rotate a key.

[1] https://www.blackhat.com/docs/eu-14/materials/eu-14-Selvi-By...


These are just the ten identified attacks so far, and they all stem from the design itself, which allows MITM on first connection or policy expiration. If your whole security feature is designed to allow MITM even once, it is guaranteed to happen at least once. This is why it's a well-intentioned bad hack.

The solution was - and still is - to design a protocol which will never allow insecure connections. This could be accomplished by forking SPDY or HTTP2.0 and naming the new protocol "SECURE", and passing out URLs like 'secure://google.com/'. This way it would be totally obvious to both the user and the browser that the connection should only ever be made using at least a valid signed cert, and HSTS would never be needed (but public-key pinning would still be needed). Mandatory DNS-based security would improve this further.

This almost happened with HTTP/2, but nobody proposed the new protocol name. Terrible missed opportunity.

None of these are an argument against HSTS. They are ways you can attack DESPITE it, IF you put in the extra effort or have specific favorable circumstances.

The only way your proposed solution (secure-only protocol) avoids your identified design flaw (non-secure connections are sometimes possible) is if everyone immediately switches it and retires HTTP. That's not going to happen.

Considering a number of your attacks rely on the user not looking at the site security level (or in some cases, even at the domain name spelling), I find it curious that you think another visual indicator will make a difference.

The argument against is it's a false sense of security.

And no, you don't have to retire http. and no, we don't have to switch to it immediately. You can simply add it as a new protocol and begin educating users.

No user that I personally know has ever been trained to identify markers on a browser, or the difference between 'http' and 'https'. It's all too complicated... What, is that a padlock? A check mark? Green? Blue? Yellow? What does "ache tee tee pee ess" mean anyway?

But what is very simple and intuitive is the word "secure". Just make sure the first word is "secure". It even rhymes!

You think users cannot be trained to recognize a green padlock, but they'll know to look for "secure://"? That seems a bit ... far-fetched.

Why "secure"? Why not "anquan"? Google tells me that is the Chinese word for secure and since there are about 3 times as many Chinese speakers in the world than English, shouldn't we be considering them first? Or maybe we should consider Spanish first?

A 'secure:' scheme sounds good, but I don't see how would it solve (1), (2), (5), (5.1) and (8); the scheme can't protect you if the attackers can switch it out or send the user to a domain they control.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact