Secure HTTPS Protocol – HSTS And HPKP


Modern browsers now warn against unencrypted, i.e., insecure websites, so encrypted Internet traffic has increased immensely. You can further strengthen the security of HTTPS, i.e., encrypted Internet traffic, because various mechanisms have been established in recent years. Not all are harmless in terms of data protection. That’s why in today’s article, we’re going to deal with securing the HTTPS protocol and show you how you can further increase your web security.

Threats On The World Wide Web

Wherever sensitive data is transmitted, SSL or TLS certificates are indispensable. TLS is one of the most secure protocols and has always held up well against attempted attacks. However, there are dangers that we will now present to you in more detail:

SSL Stripping – Data Access Before Encryption Begins

Moxie Marlinspike, cryptographer, entrepreneur, security researcher, and co-founder of Signal, presented his sslstrip program at Black Hat in 2009. This is a proxy that is positioned between client and server. The sites delivered by the server are examined explicitly by the tool for embedded links or redirects that refer to TLS-protected login sites. Such a link is converted to an HTTP link by the device. Instead of the encrypted registration, the user clicks on a page that sends data in plain text. If attackers use sslstrip as an intermediate station, reading is possible without any problems. The user is not aware of this since SSL stripping does not generate a warning message in the browser.

In this case, the bad guy is the small tool sslstrip, which taps the data before it is encrypted. The secure encryption is skipped. SSL or TLS offers the necessary protection: The option that data packets can be intercepted and read does not result from insecurity in the protocol – encryption is prevented.

To prevent SSL stripping, website operators can activate encryption for all website subpages. It is also essential to redirect incoming HTTP connections to secure HTTPS connections. Ideally, if you use cookies, make sure that they are never sent back via unsecured HTTP connections. By marking cookies with the “secure” attribute, you can ensure that your server only receives responses via HTTPS. The IETF standard HSTS can also be helpful; below, we examine this security measure.

MitM Attacks – Intermediary In The Connection

When we speak of man-in-the-middle attacks (MitM attacks), we mean an attack scenario in which the attacker switches between the victim and the resource used by the victim. Marlinspike’s sslstrip program just introduced is also a form of the MitM attack; in this case, the proxy intervenes. For attackers to be successful, they must hide their actions from the victim and the resource – in our case: client and server. The attacker pretends to be the actual communication partner both to the client and the server.

With the information intercepted in this way, attackers can launch various actions: identity theft is just as possible as falsifying transactions or stealing intellectual property. Strong end-to-end encryption is one of the most effective measures against man-in-the-middle attacks. This is because data is never available in an unencrypted form, even on the route sections.

HPKP – Double-Check

HTTP public key pinning was introduced as a method to strengthen encryption. It tells the browser that an SSL/TLS certificate from the certificate chain is trustworthy. The HTTP protocol extension allows vital public sets to be specified for future encrypted connections to specific hosts. A client accessing a server only finds out which host’s public key is trustworthy when contacting them (“trust on first use” procedure). Entries of verified keys are referred to as “pins,” hence the name of the process. Pins created can be communicated to the client as an HTTP header and thus saved for a certain period.

Introducing HPKP was to prevent MitM attacks like the ones we described above. The “Trust on First Use” approach, which sounds sensible, became problematic in practice: The procedure cannot protect the first visit, which is about transmitting the pinned keys. A high level of complexity in the configuration can lead to the long-term lockout of users, and low distribution is a further problem with the method. This led to Google scrapping support for HPKP with Chrome version 72. Others followed this example: HPKP is no longer supported by modern browsers.

CT – Through Transparency To The Security

Another measure to make encryption more secure comes from Google called Certificate Transparency (CT). You can read about how CT came about and how this measure works in our blog post “Certificate Transparency: essential changes to your TLS certificates. “

Google has taken the implementation seriously: If certification authorities fail to issue certificates following IETF-RFC 6962, Chrome displays a corresponding CT warning when visiting such a website. Ultimately, CT is a public log where certification bodies must enter their activities. Cryptographically secured, these entries cannot be changed retrospectively. In this way, it should be possible to track down the improper use of certificates.

HSTS – Extension For Mandatory Encryption

HSTS is an abbreviation for HTTP Strict Transport Security. This extension tells browsers that they should only access secure, i.e., encrypted, connections for a certain period. Thanks to HSTS, HTTPS encryption is enforced right from the start of a relationship, reducing the risk of MitM attacks.

With HSTS, both the server and the browser must fulfill specific tasks: The server responds to requests by sending a Strict Transport Security flag in the header. This prompts the browser to set up encrypted sessions for this domain in the future. How long this remains so is specified in the flag as max-age in seconds. Values ​​of one year are usually entered here.

HSTS was able to establish itself – in addition to Facebook, Google, Twitter, and PayPal, also use this extension. However, there is a problem with data protection: For the user’s browser to remember which sites use HSTS, entries similar to cookies are stored in browser databases. Due to the protection function of HSTS, HSTS records are also activated in private mode so that visited sites can check them. This is precisely where the danger lies because it makes HSTS an efficient user tracking method. HSTS entries are therefore referred to as so-called SuperCookies.

These measures are not intended to reduce the protective effect of HSTS, while tracking is effectively prevented. All modern browsers support HSTS, so this extension – used correctly and defused as a SuperCookie – can further strengthen security on the Internet.

Securing The HTTPS protocol

As you can see, there are threats on the World Wide Web that are not easy to deal with. Encryption significantly increases security on the Internet. Properly implemented and sensibly configured encryption is still challenging to crack and secure. Nevertheless, some criminals are not intimidated by this and can use MitM attacks to bypass encryption. Enforced encryption using HSTS can help. Unfortunately, HSTS has to contend with data protection problems, but tracking with HSTS entries as SuperCookies can be easily prevented. While HPKP only existed briefly, CT creates a trusting environment.

Also Read: How Not To Be Fooled When Shopping Online?

Leave a Reply

Your email address will not be published. Required fields are marked *