After the entire website is HTTPS, if the user manually enters the website's HTTP address, or clicks on the website's HTTP link from elsewhere, the HTTPS service is usually available only by relying on the server's 301/302 redirect. The first HTTP request may be hijacked, causing the request to fail to reach the server, thus constituting HTTPS downgrade hijacking. This problem can currently be solved by HSTS (HTTP Strict Transport Security, RFC6797). Introduction to HSTS HSTS (HTTP Strict Transport Security) is an Internet security policy mechanism released by the International Internet Engineering Organization (IETF). Websites that adopt the HSTS policy will ensure that the browser is always connected to the HTTPS encrypted version of the website, without the need for users to manually enter the encrypted address in the URL address bar, in order to reduce the risk of session hijacking.
HSTS response header format
HSTS Preload List Although HSTS can effectively solve HTTPS downgrade attacks, the first HTTP request before HSTS takes effect cannot be prevented from being hijacked. In order to solve this problem, browser manufacturers have proposed the HSTS Preload List solution: a built-in list that can be updated regularly, and for domain names in the list, the HTTPS protocol will be used even if the user has not visited them before. Currently, this Preload List is maintained by Google Chrome and is used by Chrome, Firefox, Safari, IE 11, and Microsoft Edge. If you want to add your domain name to this list, you must first meet the following conditions: Have a valid certificate (if using a SHA-1 certificate, the expiration date must be earlier than 2016);
Even if all the above conditions are met, you may not be included in the HSTS Preload List. For more information, please visit: https://hstspreload.org/. Through Chrome's chrome://net-internals/#hsts tool, you can check whether a website is in the Preload List, and you can also manually add a domain name to the local Preload List. HSTS Disadvantages HSTS is not a perfect solution for HTTP session hijacking. The first time a user visits a website, it is not protected by HSTS. This is because the browser has not received HSTS yet, so it is still possible to access it via plaintext HTTP. If a user accesses a website protected by HSTS via HTTP, downgrade hijacking may occur in the following situations:
There are currently two solutions to this problem:
Other possible problems Since HSTS will expire after a certain period of time (the validity period is specified by max-age), whether the browser enforces the HSTS policy depends on the current system time. Most operating systems frequently update the system time through the Network Time Protocol. For example, every time Ubuntu connects to the network, OS X Lion will automatically connect to the time server every 9 minutes. An attacker can bypass HSTS by forging NTP information and setting the wrong time. The solution is to authenticate NTP information or prohibit NTP from significantly increasing or decreasing the time. For example, Windows 8 updates the time every 7 days and requires that the time set by NTP each time should not exceed 15 hours from the current time. HSTS-supported browsers Currently, mainstream browsers already support HSTS features. For details, please refer to the following list:
HSTS deployment The way for the server to enable HSTS is: when the client makes a request via HTTPS, the server returns the Hypertext Transfer Protocol response header with the Strict-Transport-Security field. The HSTS field set during non-encrypted transmission is invalid. The best deployment solution is to deploy it at the location closest to the user. For example, if the architecture has a front-end reverse proxy and a back-end web server, it is best to configure HSTS at the front-end proxy. Otherwise, you need to configure HSTS at the web server layer. If the web server does not explicitly support HSTS, you can add a response header mechanism. If all other methods fail, you can add HSTS at the application layer. HSTS is easy to enable. Just add the following information to the corresponding header:
Strict-Transport-Security is the name of the header field. max-age represents the effective time of HSTS on the client. includeSubdomains means it is effective for all subdomains. preload uses the domain name list built into the browser. HSTS policy can only be set in HTTPS response, and the website must use the default port 443; the domain name must be used, not the IP. Therefore, HTTP needs to be redirected to HTTPS. If the HSTS header is allowed in the plain text response, a man-in-the-middle attacker can perform a DoS attack by injecting HSTS information into a normal site. Enabling HSTS on Apache
Restart Apache service
Enable HSTS on Nginx
Restart Nginx service
IIS Enable HSTS To enable HSTS on IIS, you need to use a third-party module, for details, please refer to: https://hstsiis.codeplex.com/ Test whether the setup is successful After the setting is completed, you can use the curl command to verify whether the setting is successful. If the result contains the Strict-Transport-Security field, it means that the setting is successful.
As for HSTS and HSTS Preload List, it is recommended not to enable them unless you can ensure that HTTPS service will always be provided. Because once HSTS takes effect, old users will be redirected to HTTPS before max-age expires, causing the website to be unable to access correctly. The only way is to change the domain name. |
<<: The most detailed explanation of Toolbar development in history, this is a must-read!
>>: Tech Neo May Issue: Deep Learning
Recently, a 19-year-old girl from Changzhou went ...
Many people know that "you will yawn if you ...
Audit expert: Wang Lei National Parks and Conserv...
When it comes to mini programs, many people will ...
From license plate restrictions to breast cutting...
There was an article that went viral this morning...
The China Banking and Insurance Regulatory Commis...
This sharing mainly elaborates on the refined ope...
I think everyone is familiar with the product Pin...
Humans are the smartest creatures on earth, and t...
On March 19, Analysys officially launched its dat...
Why join the WeChat Mini Program Development Comp...
With the help of artificial intelligence (AI), a ...
This article summarizes the overview of China'...
The first thing I want to share is a very mainstr...