Search This Blog

Wednesday 29 October 2014

Eliminate HTTP Man-In-The-Middle attacks with HSTS

The most prolific Internet Protocol (ok, maybe aside from mail) is HTTP, or common Web traffic, between end user browsers and web servers.  However, it is also one of the most insecure. Setting up a man-in-the-middle attack has been proven quite trivial, and leaves both the end user and the web service vulnerable to attack.

From OWASP.ORG

What this means in layman's terms, is that an attacker could set up a computer system in such a way that they pretend to be the website you are hoping to visit. Everything *looks* legitimate, and they pass your traffic back and forth to the real site, keeping copies of everything, including sensitive information.  They could potentially even alter information on your behalf. 


HTTPS, was born out of the need to secure Web transactions.  Basically it wraps standard HTTP traffic in an SSL/TLS tunnel, thus preventing  eavesdropping and tampering.

The problem is, that most web servers will initially establish an HTTP session, and if secure communications is required (ie: Banking, medical, personal information, etc..) then the web server will re-direct your browser to the HTTPS version. 

But even here, a cunning hacker could set up an SSL proxy using a  "self signed SSL certificate" and pretend to be the official site. You would connect to the HTTP version, the attacker would redirect you to THEIR SSL service, and then connect you with the official site. 

Many of you are now screaming at me:
"Modern browsers WARN the user that they do not trust Self Signed Certificates" 




The sad news is that most people ignore these warnings, do not read them fully and click through to accept the certificate.

HSTS: HTTP Strict-Transport-Security was developed to remediate this issue. It basically sends information from a web server to the users browser that FORCES an HTTPS secure connection the next and subsequent times that the user goes to that site.   Even if the user types HTTP:// and the site name, they are forced to the HTTPS variant.  ALSO, if the certificate is self signed, revoked, or expired, HSTS will terminate the session. 

A Web server configured for HSTS would supply a header over an HTTPS connection to the browser.  Current browsers are designed to understand and keep this header for future use. When the site is revisited, it will force a HTTPS redirection from the browser.  Also, if the certificate is untrusted, aconnection WILL NOT be established.

This HSTS Policy helps protect web traffic against eavesdropping and most man-in-the-middle attacks.


I highly recommend that you adopt HSTS for both your External as well as your Internal web servers to further reduce your threat landscape.




References:

EITF: RFC6797 - HTTP Strict Transport Security (HSTS)
https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
Configure HSTS (HTTP Strict Transport Security) for Apache/Nginx
https://www.owasp.org/index.php/HTTP_Strict_Transport_Security
https://www.owasp.org/index.php/Man-in-the-middle_attack 
http://en.wikipedia.org/wiki/Man-in-the-middle_attack 
Hack Like a Pro: How to Conduct a Simple Man-in-the-Middle Attack
https://www.owasp.org/index.php/Man-in-the-middle_attack
US CERT: Understanding Web Site Certificates
How is it possible that people observing an HTTPS connection being established wouldn't know how to decrypt it?

No comments:

Post a Comment