Implementation State of HSTS and HPKP in Both Browsers and Servers

  • Sergio de los Santos
  • Carmen Torrano
  • Yaiza Rubio
  • Félix Brezo
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10052)

Abstract

HSTS and HPKP are relatively recent protocols aimed to enforce HTTPS connections and allow certificate pinning over HTTP. The combination of these protocols improves and strengthens HTTPS security in general, adding an additional layer of trust and verification, as well as ensuring as far as possible that the connection is always secure. However, the adoption and implementation of any protocol that is not yet completely settled, usually involves the possibility of introducing new weaknesses, opportunities or attack scenarios. Even when these protocols are implemented, bad practices prevent them from actually providing the additional security they are expected to provide. In this document, we have studied the quantity and the quality of the implementation both in servers and in most popular browsers and discovered some possible attack scenarios.

Keywords

Certificates HPKP HSTS Web browsing Privacy 

References

  1. 1.
    Rizzo, J., Duong, T.: BEAST. Ekoparty (2011)Google Scholar
  2. 2.
    Mller, B., Duong, T., Kotowicz, K.: This POODLE bites: exploiting the SSL 3.0 fallback (2014). https://www.openssl.org/~bodo/ssl-poodle.pdf. REPASAR
  3. 3.
    Rizzo, J., Duong, T.: The CRIME Attack. Ekoparty (2012)Google Scholar
  4. 4.
    Codenomicon: The Heartbleed Bug. Ekoparty (2014)Google Scholar
  5. 5.
    Bhargavan, K., Delignat-Lavaud, A., Fournet, C., Pironti, A., Strub, P.: Triple handshakes and cookie cutters: breaking and fixing authentication over TLS. In: IEEE Symposium on Security and Privacy (2014)Google Scholar
  6. 6.
    Jia, Y., Chen, Y., Dong, X., Saxena, P., Mao, J., Liang, Z.: Man-in-the-browser-cache: persisting HTTPS attacks via browser cache poisoning. Comput. Secur. 55, 62–80 (2015)CrossRefGoogle Scholar
  7. 7.
    Marlinspike, M.: New Tricks for Defeating SSL in Practice. BlackHat (2009). http://www.thoughtcrime.org/software/sslstrip/
  8. 8.
    Paul, I.: Firefox Add-on Firesheep Brings Hacking to the Masses. PCWorld (2010)Google Scholar
  9. 9.
    Mandalia, R.: Security Breach in CA Networks - Comodo, DigiNotar, GlobalSign. \(ISC^2\) Blog (2012). http://blog.isc2.org/isc2_blog/2012/04/test.html
  10. 10.
    Langley, A.: Further improving digital certificate security. Google Security Blog (2013). https://security.googleblog.com/2013/12/further-improving-digital-certificate.html
  11. 11.
    Langley, A.: Maintaining digital certificate security. Google Security Blog (2014). https://security.googleblog.com/2014/07/maintaining-digital-certificate-security.html
  12. 12.
    Hoffman, P.: The DNS-Based Authentication of Named Entities (DANE). Transport Layer Security (TLS) Protocol: TLSA. https://www.rfc-editor.org/rfc/rfc6698.txt
  13. 13.
    Marlinspike, M., Perrin, T.: Tacks. http://tack.io/draft.html
  14. 14.
  15. 15.
    Wendlandt, D., Andersen, D., Perrig, A.: Perspectives: Improving SSH-style Host Authentication with Multi-Path Probing (2008). http://static.usenix.org/event/usenix08/tech/full_papers/wendlandt/wendlandt_html/
  16. 16.
    Marlinspike, M.: Convergence (2011). http://convergence.io/
  17. 17.
    Yan: Weird New Tricks for Browser Fingerprinting (2015). https://zyan.scripts.mit.edu/presentations/toorcon2015.pdf
  18. 18.
    Internet Engineering Task Force (IETF): HTTP Strict Transport Security (HSTS). RFC 6797(2012). https://tools.ietf.org/html/rfc6797
  19. 19.
    Internet Engineering Task Force (IETF): Public Key Pinning Extension for HTTP. RFC 7469(2015). https://tools.ietf.org/html/rfc7469
  20. 20.
    Internet Engineering Task Force (IETF): Certificate Transparency (2013). https://tools.ietf.org/html/rfc6962
  21. 21.
    Garron, L., Bortz, A., Boneh, D.: The State of HSTS Deployment: A Survey and Common Pitfalls (2014)Google Scholar
  22. 22.
    Kranch, M., Bonneau, J.: Upgrading HTTPS in mid-air: an empirical study of strict transport security and key pinning. In: Network and Distributed System Security Symposium (NDSS) (2015)Google Scholar
  23. 23.
    Selvi, J.: Bypassing HTTP Strict Transport Security. BlackHat Europe (2014)Google Scholar
  24. 24.
  25. 25.
    Shodan: Shodan. http://www.shodan.io
  26. 26.
    Alexa internet Inc: Alexa. http://www.alexa.com/
  27. 27.
    Deveria, A.: Can I use Strict Transport Security? (2016). http://caniuse.com/#feat=stricttransportsecurity
  28. 28.
  29. 29.
    Bugzilla: Bugzilla@Mozilla (2014). https://bugzilla.mozilla.org/show_bug.cgi?id=775370
  30. 30.
  31. 31.
  32. 32.
    Deveria, A.: Can I Use Public Key Pinning (2015). http://caniuse.com/#feat=publickeypinning
  33. 33.
    Deveria, A.: Can I use HSTS? (2015). http://caniuse.com/#search=HSTS
  34. 34.
    Nishimura, M.: Appended period to hostnames can bypass HPKP and HSTS protections. https://www.mozilla.org/en-US/security/advisories/mfsa2015-13/

Copyright information

© Springer International Publishing AG 2016

Authors and Affiliations

  • Sergio de los Santos
    • 1
  • Carmen Torrano
    • 1
  • Yaiza Rubio
    • 1
  • Félix Brezo
    • 1
  1. 1.Telefonica Digital, Ronda de la ComunicaciónMadridSpain

Personalised recommendations