Archive for October, 2010

Firesheep and HSTS (HTTP Strict Transport Security)

Friday, October 29th, 2010

Firesheep, released earlier this week, is a Firefox add-on that enables one to easily capture HTTP application session cookies from other users communications with specific popular sites. The problem it exploits is that many sites protect the initial reusable shared password-based authentication with TLS/SSL, but then revert further communication to unsecured HTTP. This exposes any application session cookies employed by the site, and returned by users’ browsers to the site on every request, to capture and replay by an attacker. This enables one to hang out on a local network, your favorite coffee shop for instance, and hijack others’ interactions with various social networking sites and retailers, for example.

This particular class of typical website vulnerability has been known for ages, as well as techniques for addressing it. For example, websites can simply offer their entire site over TLS/SSL (i.e. via “HTTPS“), as PayPal does. Some sites do so, but for whatever reason still revert users communications to unsecured HTTP by default, or some portion of their communications remain unsecured. However, if one can configure one’s browser to only securely interact with some given site (i.e. domain), and if the site supports this, then Problem Largely Solved. See, for example, Collin Jackson and Adam Barth‘s paper, ForceHTTPS: Protecting High-Security Web Sites from Network Attacks, for a description of this class of vulnerabilities, attacks, and remediation approaches.

I’ve been working with Collin and Adam on standardizing ForceHTTPS — their paper was the inspiration for the HTTP Strict Transport Security (HSTS) work and the present Internet-Draft specification thereof, and thus the HSTS implementations presently available in Firefox 3.x (via the Force-TLS and NoScript plugins), natively in Firefox 4 beta 6 and later, and natively in Chrome 4 and later. There’s also the HTTPS-Everywhere extension from the EFF that comes pre-loaded with a list of sites to use only via HTTPS, and is configurable such that one can add more (unfortunately it doesn’t support HSTS apparently)..

Now, HSTS is a website security policy that in typical cases, sites will explicitly signal to browsers (via an HTTP request header field), as PayPal presently does. However, this week, Sid Stamm, who authored the Firefox v3 HSTS add-on (Force-TLS) and native implementation, conzed-up a new Firefox v4 add-on, STS UI (Strict Transport Security User Interface), that allows one to configure one’s browser to regard given sites as HSTS sites, even if they don’t signal it. This also addresses the Bootstrap MITM Vulnerability noted in the HSTS draft spec.

Note that Chrome features “Preloaded HSTS sites”, and that NoScript (FF v3 & v4), HTTPS-Everywhere (FFv3), and Force-TLS (FFv3) all facilitate user configuration of HTTPS-only sites.

We’ll be working in the new IETF WebSec working group to finish the HSTS draft spec and get it published as an RFC, hopefully before too much of 2011 is gone. I’ll try to keep you all updated on that.

In the meantime, =JeffH sez be careful with your web logins :)

updated 31-Oct-2010: Added NoScript and HTTPS-Everywhere. Apologies to Giorgio and the EFF for not including them straight away.

HSTS implemented in Firefox 4 and Chrome

Thursday, October 28th, 2010

In terms of HSTS implementations, it’s now been implemented in the mainline Firefox code by Sid Stamm, and is supported in the Firefox 4 beta 6 and later. Note that HSTS is already a feature in Google Chrome as of version 4.

=JeffH sez check it out 😉

HTTP Strict Transport Security and the IETF WebSec Working Group

Thursday, October 28th, 2010

The HTTP Strict Transport Security (HSTS) spec is now an IETF Internet-Draft, and available here (for now; more about that below):

We had a successful “HASMAT” (for “HTTP Application Security Minus Authentication & Transport”) BoF at IETF-78 Maastricht last July, which has resulted in the formation of a new IETF Working Group: WebSec. Plus, the HSTS spec, and two others, were adopted as working group items.


So this means I need to get off my butt and edit the HSTS spec such that it’s a proper “working group (internet-)draft” and get it published….

The Need for a Coherent Web Security Policy Framework

Thursday, October 28th, 2010

Back in May (apologies for latency, we’ve had a busy summer/fall), Andy Steingruebl and I presented our paper, “The Need for a Coherent Web Security Policy Framework” (slides), at the Web 2.0 Security and Privacy 2010 Workshop. It seemed to be relatively well received (the abstract is below). There were a number of interesting papers at the workshop, browsing the workshop pages is encouraged :)

Since then, we’ve been waving our paper around and pursuing the action items outlined therein with some modest success, which I’ll outline in subsequent posts.

=JeffH sez check it out…


Web-based malware and attacks are proliferating rapidly on the Internet. New web security mechanisms are also rapidly growing in number, although in an incoherent fashion. In this position paper, we give a brief overview of the ravaged web security landscape, and the various seemingly piece-wise approaches being taken to mitigate the threats. We then propose that with some cooperation, we can likely architect approaches that are more easily wielded and provide extensibility for the future. We provide thoughts on where and how to begin coordinating the work.