HTTP Strict Transport Security (HSTS) is a policy mechanism that helps to protect websites against
man-in-the-middle attack
In cryptography and computer security, a man-in-the-middle, monster-in-the-middle, machine-in-the-middle, monkey-in-the-middle, meddler-in-the-middle, manipulator-in-the-middle (MITM), person-in-the-middle (PITM) or adversary-in-the-middle (AiTM) ...
s such as
protocol downgrade attacks
and
cookie hijacking. It allows
web server
A web server is computer software and underlying hardware that accepts requests via HTTP (the network protocol created to distribute web content) or its secure variant HTTPS. A user agent, commonly a web browser or web crawler, initiate ...
s to declare that
web browsers
A web browser is application software for accessing websites. When a User (computing), user requests a web page from a particular website, the browser retrieves its Computer file, files from a web server and then displays the page on the user' ...
(or other complying
user agent
In computing, a user agent is any software, acting on behalf of a user, which "retrieves, renders and facilitates end-user interaction with Web content". A user agent is therefore a special kind of software agent.
Some prominent examples of us ...
s) should automatically interact with it using only
HTTPS
Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). It is used for secure communication over a computer network, and is widely used on the Internet. In HTTPS, the communication protocol is enc ...
connections, which provide
Transport Layer Security
Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network. The protocol is widely used in applications such as email, instant messaging, and voice over IP, but its use in securi ...
(TLS/SSL), unlike the insecure
HTTP
The Hypertext Transfer Protocol (HTTP) is an application layer protocol in the Internet protocol suite model for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide Web, ...
used alone. HSTS is an
IETF
The Internet Engineering Task Force (IETF) is a standards organization for the Internet and is responsible for the technical standards that make up the Internet protocol suite (TCP/IP). It has no formal membership roster or requirements and a ...
standards Standard may refer to:
Symbols
* Colours, standards and guidons, kinds of military signs
* Standard (emblem), a type of a large symbol or emblem used for identification
Norms, conventions or requirements
* Standard (metrology), an object th ...
track protocol and is specified in .
The HSTS Policy is communicated by the server to the user agent via an HTTP response
header field named "
Strict-Transport-Security
". HSTS Policy specifies a period of time during which the
user agent
In computing, a user agent is any software, acting on behalf of a user, which "retrieves, renders and facilitates end-user interaction with Web content". A user agent is therefore a special kind of software agent.
Some prominent examples of us ...
should only access the server in a secure fashion.
[ ] Websites using HSTS often do not accept clear text HTTP, either by rejecting connections over HTTP or systematically redirecting users to HTTPS (though this is not required by the specification). The consequence of this is that a user-agent not capable of doing TLS will not be able to connect to the site.
The protection only applies after a
user
Ancient Egyptian roles
* User (ancient Egyptian official), an ancient Egyptian nomarch (governor) of the Eighth Dynasty
* Useramen, an ancient Egyptian vizier also called "User"
Other uses
* User (computing), a person (or software) using an ...
has visited the site at least once, relying on the principle of
Trust on first use
Trust on first use (TOFU), or trust upon first use (TUFU), is an authentication scheme used by client software which needs to establish a trust relationship with an unknown or not-yet-trusted endpoint. In a TOFU model, the client will try to look ...
. The way this protection works is that a user entering or selecting a URL to the site that specifies HTTP, will automatically upgrade to HTTPS, without making an HTTP request, which prevents the HTTP man-in-the-middle attack from occurring.
Specification history
The HSTS specification was published as RFC 6797 on 19 November 2012 after being approved on 2 October 2012 by the
IESG
The Internet Engineering Task Force (IETF) is a standards organization for the Internet and is responsible for the technical standards that make up the Internet protocol suite (TCP/IP). It has no formal membership roster or requirements and a ...
for publication as a
Proposed Standard
In computer network engineering, an Internet Standard is a normative specification of a technology or methodology applicable to the Internet. Internet Standards are created and published by the Internet Engineering Task Force (IETF). They allow ...
RFC
RFC may refer to:
Computing
* Request for Comments, a memorandum on Internet standards
* Request for change, change management
* Remote Function Call, in SAP computer systems
* Rhye's and Fall of Civilization, a modification for Sid Meier's Civ ...
.
The authors originally submitted it as an
Internet Draft
An Internet Draft (I-D) is a document published by the Internet Engineering Task Force (IETF) containing preliminary technical specifications, results of networking-related research, or other technical information. Often, Internet Drafts are int ...
on 17 June 2010. With the conversion to an Internet Draft, the specification name was altered from "Strict Transport Security" (STS) to "HTTP Strict Transport Security", because the specification applies only to
HTTP
The Hypertext Transfer Protocol (HTTP) is an application layer protocol in the Internet protocol suite model for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide Web, ...
. The HTTP response header field defined in the HSTS specification however remains named "Strict-Transport-Security".
The last so-called "community version" of the then-named "STS" specification was published on 18 December 2009, with revisions based on community feedback.
The original draft specification by Jeff Hodges from
PayPal
PayPal Holdings, Inc. is an American multinational financial technology company operating an online payments system in the majority of countries that support online money transfers, and serves as an electronic alternative to traditional paper ...
, Collin Jackson, and Adam Barth was published on 18 September 2009.
The HSTS specification is based on original work by Jackson and Barth as described in their paper "ForceHTTPS: Protecting High-Security Web Sites from Network Attacks".
Additionally, HSTS is the realization of one facet of an overall vision for improving web security, put forward by Jeff Hodges and Andy Steingruebl in their 2010 paper ''The Need for Coherent Web Security Policy Framework(s)''.
HSTS mechanism overview
A server implements an HSTS policy by supplying a header over an HTTPS connection (HSTS headers over HTTP are ignored).
For example, a server could send a header such that future requests to the domain for the next year (max-age is specified in seconds; 31,536,000 is equal to one non-leap year) use only HTTPS:
Strict-Transport-Security: max-age=31536000
.
When a web application issues HSTS Policy to user agents, conformant user agents behave as follows (
RFC 6797):
# Automatically turn any insecure links referencing the web application into secure links (e.g.
http://example.com/some/page/
will be modified to
https://example.com/some/page/
accessing the server).
# If the security of the connection cannot be ensured (e.g. the server's
TLS certificate is not trusted), the user agent must terminate the connection (RFC 6797 section 8.4, Errors in Secure Transport Establishment) and should not allow the user to access the web application (section 12.1, No User Recourse).
The HSTS Policy helps protect web application users against some passive (
eavesdropping
Eavesdropping is the act of secretly or stealthily listening to the private conversation or communications of others without their consent in order to gather information.
Etymology
The verb ''eavesdrop'' is a back-formation from the noun ''eaves ...
) and active network
attacks.
A
man-in-the-middle attack
In cryptography and computer security, a man-in-the-middle, monster-in-the-middle, machine-in-the-middle, monkey-in-the-middle, meddler-in-the-middle, manipulator-in-the-middle (MITM), person-in-the-middle (PITM) or adversary-in-the-middle (AiTM) ...
er has a greatly reduced ability to intercept requests and responses between a user and a web application server while the user's browser has HSTS Policy in effect for that web application.
Applicability
The most important security vulnerability that HSTS can fix is SSL-stripping
man-in-the-middle attack
In cryptography and computer security, a man-in-the-middle, monster-in-the-middle, machine-in-the-middle, monkey-in-the-middle, meddler-in-the-middle, manipulator-in-the-middle (MITM), person-in-the-middle (PITM) or adversary-in-the-middle (AiTM) ...
s, first publicly introduced by
Moxie Marlinspike
Moxie Marlinspike is an American entrepreneur, cryptographer, and computer security researcher. Marlinspike is the creator of Signal, co-founder of the Signal Technology Foundation, and served as the first CEO of Signal Messenger LLC. He is als ...
in his 2009 BlackHat Federal talk "New Tricks For Defeating SSL In Practice". The SSL (and
TLS) stripping attack works by transparently converting a secure
HTTPS
Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). It is used for secure communication over a computer network, and is widely used on the Internet. In HTTPS, the communication protocol is enc ...
connection into a plain HTTP connection. The user can see that the connection is insecure, but crucially there is no way of knowing whether the connection ''should'' be secure. At the time of Marlinspike's talk, many websites did not use TLS/SSL, therefore there was no way of knowing (without prior knowledge) whether the use of plain HTTP was due to an attack, or simply because the website hadn't implemented TLS/SSL. Additionally, no warnings are presented to the user during the downgrade process, making the attack fairly subtle to all but the most vigilant. Marlinspike's sslstrip tool fully automates the attack.
HSTS addresses this problem
by informing the browser that connections to the site should always use TLS/SSL. The HSTS header can be stripped by the attacker if this is the user's first visit.
Google Chrome
Google Chrome is a cross-platform web browser developed by Google. It was first released in 2008 for Microsoft Windows, built with free software components from Apple WebKit and Mozilla Firefox. Versions were later released for Linux, macOS ...
,
Mozilla Firefox
Mozilla Firefox, or simply Firefox, is a free and open-source web browser developed by the Mozilla Foundation and its subsidiary, the Mozilla Corporation. It uses the Gecko rendering engine to display web pages, which implements current and a ...
,
Internet Explorer
Internet Explorer (formerly Microsoft Internet Explorer and Windows Internet Explorer, commonly abbreviated IE or MSIE) is a series of graphical user interface, graphical web browsers developed by Microsoft which was used in the Microsoft Wind ...
and
Microsoft Edge
Microsoft Edge is a proprietary, cross-platform web browser created by Microsoft. It was first released in 2015 as part of Windows 10 and Xbox One and later ported to other platforms as a fork of Google's Chromium open-source project: Android ...
attempt to limit this problem by including a "pre-loaded" list of HSTS sites.
Unfortunately this solution cannot scale to include all websites on the internet. See
limitations Limitation may refer to:
*A disclaimer for research done in an experiment or study
*A Statute of limitations
A statute of limitations, known in civil law systems as a prescriptive period, is a law passed by a legislative body to set the maximum ...
, below.
HSTS can also help to prevent having one's
cookie-based website login credentials stolen by widely available tools such as
Firesheep
Firesheep was an extension for the Firefox web browser that used a packet sniffer to intercept unencrypted session cookies from websites such as Facebook and Twitter. The plugin eavesdropped on Wi-Fi communications, listening for session cookies. ...
.
Because HSTS is time limited, it is sensitive to attacks involving shifting the victim's computer time e.g. using false
NTP packets.
Limitations
The initial request remains unprotected from active attacks if it uses an insecure protocol such as plain HTTP or if the
URI Uri may refer to:
Places
* Canton of Uri, a canton in Switzerland
* Γri, a village and commune in Hungary
* Uri, Iran, a village in East Azerbaijan Province
* Uri, Jammu and Kashmir, a town in India
* Uri (island), an island off Malakula Islan ...
for the initial request was obtained over an
insecure channel
In cryptography, a secure channel is a means of data transmission that is resistant to overhearing and tampering. A confidential channel is a means of data transmission that is resistant to overhearing, or eavesdropping (e.g., reading the conten ...
.
The same applies to the first request after the activity period specified in the advertised HSTS Policy
max-age
(sites should set a period of several days or months depending on user activity and behavior).
Google Chrome
Google Chrome is a cross-platform web browser developed by Google. It was first released in 2008 for Microsoft Windows, built with free software components from Apple WebKit and Mozilla Firefox. Versions were later released for Linux, macOS ...
,
Mozilla Firefox
Mozilla Firefox, or simply Firefox, is a free and open-source web browser developed by the Mozilla Foundation and its subsidiary, the Mozilla Corporation. It uses the Gecko rendering engine to display web pages, which implements current and a ...
and
Internet Explorer
Internet Explorer (formerly Microsoft Internet Explorer and Windows Internet Explorer, commonly abbreviated IE or MSIE) is a series of graphical user interface, graphical web browsers developed by Microsoft which was used in the Microsoft Wind ...
/
Microsoft Edge
Microsoft Edge is a proprietary, cross-platform web browser created by Microsoft. It was first released in 2015 as part of Windows 10 and Xbox One and later ported to other platforms as a fork of Google's Chromium open-source project: Android ...
address this limitation by implementing a "HSTS preloaded list", which is a list that contains known sites supporting HSTS.
This list is distributed with the browser so that it uses HTTPS for the initial request to the listed sites as well. As previously mentioned, these pre-loaded lists cannot scale to cover the entire Web. A potential solution might be achieved by using
DNS
The Domain Name System (DNS) is a hierarchical and distributed naming system for computers, services, and other resources in the Internet or other Internet Protocol (IP) networks. It associates various information with domain names assigned to ...
records to declare HSTS Policy, and accessing them securely via
DNSSEC
The Domain Name System Security Extensions (DNSSEC) are a suite of extension specifications by the Internet Engineering Task Force (IETF) for securing data exchanged in the Domain Name System (DNS) in Internet Protocol (IP) networks. The protocol ...
, optionally with certificate fingerprints to ensure validity (which requires running a validating resolver to avoid
last mile issues).
Junade Ali
Junade Ali is a British computer scientist known for research in cybersecurity.CEng registration number ''673221''. https://www.engc.org.uk/regcheck
Ali studied for a Master of Science degree aged 17 and was awarded Chartered Engineer status b ...
has noted that HSTS is ineffective against the use of phony domains; by using DNS-based attacks, it is possible for a Man-in-the-Middle interceptor to serve traffic from an artificial domain which is not on the HSTS Preload list,
this can be made possible by DNS Spoofing Attacks, or simply a domain name that misleadingly resembles the real domain name such as ''www.example.org'' instead of ''www.example.com''.
Even with an "HSTS preloaded list", HSTS can't prevent advanced attacks against TLS itself, such as the
BEAST or
CRIME
In ordinary language, a crime is an unlawful act punishable by a State (polity), state or other authority. The term ''crime'' does not, in modern criminal law, have any simple and universally accepted definition,Farmer, Lindsay: "Crime, definit ...
attacks introduced by Juliano Rizzo and Thai Duong. Attacks against TLS itself are
orthogonal
In mathematics, orthogonality is the generalization of the geometric notion of ''perpendicularity''.
By extension, orthogonality is also used to refer to the separation of specific features of a system. The term also has specialized meanings in ...
to HSTS policy enforcement. Neither can it protect against attacks on the server - if someone compromises it, it will happily serve any content over TLS.
See for a discussion of overall HSTS security considerations.
Privacy issues
HSTS can be used to near-indelibly tag visiting browsers with recoverable identifying data (
supercookies) which can persist in and out of browser "
incognito
Incognito is an English adjective meaning "in disguise", "having taken steps to conceal one's identity".
Incognito may also refer to:
Film and television
* ''Incognito'' (1937 film), a Danish film
* ''Incognito'' (1997 film), an American crime ...
" privacy modes. By creating a web page that makes multiple HTTP requests to selected domains, for example, if twenty browser requests to twenty different domains are used, theoretically over one million visitors can be distinguished (2
20) due to the resulting requests arriving via HTTP vs. HTTPS; the latter being the previously recorded binary "bits" established earlier via HSTS headers.
Browser support
*
Chromium
Chromium is a chemical element with the symbol Cr and atomic number 24. It is the first element in group 6. It is a steely-grey, lustrous, hard, and brittle transition metal.
Chromium metal is valued for its high corrosion resistance and hardne ...
and
Google Chrome
Google Chrome is a cross-platform web browser developed by Google. It was first released in 2008 for Microsoft Windows, built with free software components from Apple WebKit and Mozilla Firefox. Versions were later released for Linux, macOS ...
since version 4.0.211.0
*
Firefox
Mozilla Firefox, or simply Firefox, is a free and open-source web browser developed by the Mozilla Foundation and its subsidiary, the Mozilla Corporation. It uses the Gecko rendering engine to display web pages, which implements current and ...
since version 4;
with Firefox 17,
Mozilla
Mozilla (stylized as moz://a) is a free software community founded in 1998 by members of Netscape. The Mozilla community uses, develops, spreads and supports Mozilla products, thereby promoting exclusively free software and open standards, wi ...
integrates a list of websites supporting HSTS.
*
Opera
Opera is a form of theatre in which music is a fundamental component and dramatic roles are taken by singers. Such a "work" (the literal translation of the Italian word "opera") is typically a collaboration between a composer and a librett ...
since version 12
*
Safari
A safari (; ) is an overland journey to observe wild animals, especially in eastern or southern Africa. The so-called "Big Five" game animals of Africa β lion, leopard, rhinoceros, elephant, and Cape buffalo β particularly form an importa ...
since
OS X Mavericks
OS X Mavericks (version 10.9) is the 10th major release of macOS, Apple Inc.'s desktop and server operating system for Macintosh computers. OS X Mavericks was announced on June 10, 2013, at WWDC 2013, and was released on October 22, 2013, worl ...
(version 10.9, late 2013)
*
Internet Explorer 11
Internet Explorer 11 (IE11) is the eleventh, final, and now deprecated version of the Internet Explorer web browser. It was initially included in the release of Windows 8.1, Windows RT 8.1 and Windows Server 2012 R2 on October 17, 2013, and was ...
on
Windows 8.1
Windows 8.1 is a release of the Windows NT operating system developed by Microsoft. It was released to manufacturing on August 27, 2013, and broadly released for retail sale on October 17, 2013, about a year after the retail release of its pre ...
and
Windows 7
Windows 7 is a major release of the Windows NT operating system developed by Microsoft. It was released to manufacturing on July 22, 2009, and became generally available on October 22, 2009. It is the successor to Windows Vista, released nearly ...
wit
KB3058515installed (Released as a Windows Update in June 2015)
*
Microsoft Edge
Microsoft Edge is a proprietary, cross-platform web browser created by Microsoft. It was first released in 2015 as part of Windows 10 and Xbox One and later ported to other platforms as a fork of Google's Chromium open-source project: Android ...
and
Internet Explorer 11
Internet Explorer 11 (IE11) is the eleventh, final, and now deprecated version of the Internet Explorer web browser. It was initially included in the release of Windows 8.1, Windows RT 8.1 and Windows Server 2012 R2 on October 17, 2013, and was ...
on
Windows 10
Windows 10 is a major release of Microsoft's Windows NT operating system. It is the direct successor to Windows 8.1, which was released nearly two years earlier. It was released to manufacturing on July 15, 2015, and later to retail on J ...
*
BlackBerry 10
BlackBerry 10 is a discontinued proprietary mobile operating system for the BlackBerry line of smartphones, both developed by BlackBerry Limited (formerly Research In Motion). BlackBerry 10 is based on QNX, a Unix-like operating system that was o ...
Browser an
WebViewsince BlackBerry OS 10.3.3.
Deployment best practices
Depending on the actual deployment there are certain threats (e.g. cookie injection attacks) that can be avoided by following best practices.
* HSTS hosts should declare HSTS policy at their top-level domain name. For example, an HSTS host at
https://sub.example.com should also answer with the HSTS header at
https://example.com. The header should specify the
includeSubDomains
directive.
* In addition to HSTS deployment, a host for
https://www.example.com should include a request to a resource from
https://example.com to make sure that HSTS for the parent domain is set and protects the user from potential cookie injection attacks performed by a MITM that would inject a reference to the parent domain (or even
http://nonexistentpeer.example.com), which the attacker then would answer.
See also
*
Content Security Policy
Content Security Policy (CSP) is a computer security standard introduced to prevent cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context. It is a C ...
*
.dev TLD - a Google-operated TLD included in the HSTS preload-list by default
*
HTTP Public Key Pinning
References
External links
* β HTTP Strict Transport Security (HSTS)
IETF WebSec Working GroupSecurity Now 262: Strict Transport SecurityOpen Web Application Security Project (OWASP): HSTS descriptionOnline browser HSTS and Public Key Pinning testHSTS Preload Submissionfor Google Chrome, Mozilla Firefox, Safari, IE 11, and Edge
Chromium HSTS Preloaded listStrict-Transport-Securityon
MDN Web Docs
MDN Web Docs, previously Mozilla Developer Network and formerly Mozilla Developer Center, is a documentation repository and learning resource for web developers. It was started by Mozilla in 2005 as a unified place for documentation about open web ...
{{DEFAULTSORT:Http Strict Transport Security
Computer security standards
Cryptography
Strict Transport Security
Transport Layer Security
Web security exploits