Enable HSTS to force the browser to redirect to HTTPS access

After the entire website is HTTPS, if the user manually enters the website's HTTP address, or clicks on the website's HTTP link from elsewhere, the HTTPS service is usually available only by relying on the server's 301/302 redirect. The first HTTP request may be hijacked, causing the request to fail to reach the server, thus constituting HTTPS downgrade hijacking. This problem can currently be solved by HSTS (HTTP Strict Transport Security, RFC6797).

Introduction to HSTS

HSTS (HTTP Strict Transport Security) is an Internet security policy mechanism released by the International Internet Engineering Organization (IETF). Websites that adopt the HSTS policy will ensure that the browser is always connected to the HTTPS encrypted version of the website, without the need for users to manually enter the encrypted address in the URL address bar, in order to reduce the risk of session hijacking.

[[193256]]

HSTS response header format

 Strict-Transport-Security: max -age=expireTime [; includeSubDomains] [; preload]

• max-age, in seconds, tells the browser that within a specified time, this website must be accessed via the HTTPS protocol. That is, for the HTTP address of this website, the browser needs to replace it with HTTPS locally before sending the request.
• includeSubDomains, an optional parameter. If this parameter is specified, it indicates that all subdomains of this website must also be accessed through the HTTPS protocol.
• preload, optional parameter, a browser built-in list of domain names using HTTPS.

HSTS Preload List

Although HSTS can effectively solve HTTPS downgrade attacks, the first HTTP request before HSTS takes effect cannot be prevented from being hijacked. In order to solve this problem, browser manufacturers have proposed the HSTS Preload List solution: a built-in list that can be updated regularly, and for domain names in the list, the HTTPS protocol will be used even if the user has not visited them before.

Currently, this Preload List is maintained by Google Chrome and is used by Chrome, Firefox, Safari, IE 11, and Microsoft Edge. If you want to add your domain name to this list, you must first meet the following conditions:

Have a valid certificate (if using a SHA-1 certificate, the expiration date must be earlier than 2016);

• Redirect all HTTP traffic to HTTPS;
• Make sure HTTPS is enabled on all subdomains;
• Output HSTS response header:
• max-age cannot be less than 18 weeks (10886400 seconds);
• The includeSubdomains parameter must be specified;
• The preload parameter must be specified;

Even if all the above conditions are met, you may not be included in the HSTS Preload List. For more information, please visit: https://hstspreload.org/.

Through Chrome's chrome://net-internals/#hsts tool, you can check whether a website is in the Preload List, and you can also manually add a domain name to the local Preload List.

HSTS Disadvantages

HSTS is not a perfect solution for HTTP session hijacking. The first time a user visits a website, it is not protected by HSTS. This is because the browser has not received HSTS yet, so it is still possible to access it via plaintext HTTP.

If a user accesses a website protected by HSTS via HTTP, downgrade hijacking may occur in the following situations:

• Never visited this site before
• Recently reinstalled their operating system
• Recently reinstalled their browser
• Switch to a new browser
• Switch to a new device, such as a mobile phone
• Delete your browser's cache
• The site has not been visited recently and the max-age has expired

There are currently two solutions to this problem:

• Solution 1: Preset the HSTS domain name list in the browser, which is the HSTS Preload List solution mentioned above. This domain name list is distributed and hard-coded into mainstream web browsers. Clients accessing domain names in this list will actively use HTTPS and refuse to use HTTP to access the site.
• Solution 2: Add HSTS information to the domain name system record. However, this requires ensuring the security of DNS, which means deploying the Domain Name System Security Extension.

Other possible problems

Since HSTS will expire after a certain period of time (the validity period is specified by max-age), whether the browser enforces the HSTS policy depends on the current system time. Most operating systems frequently update the system time through the Network Time Protocol. For example, every time Ubuntu connects to the network, OS X Lion will automatically connect to the time server every 9 minutes. An attacker can bypass HSTS by forging NTP information and setting the wrong time.

The solution is to authenticate NTP information or prohibit NTP from significantly increasing or decreasing the time. For example, Windows 8 updates the time every 7 days and requires that the time set by NTP each time should not exceed 15 hours from the current time.

HSTS-supported browsers

Currently, mainstream browsers already support HSTS features. For details, please refer to the following list:

• Google Chrome 4 and above
• Firefox 4 and above
• Opera 12 and above
• Safari since OS X Mavericks
• Internet Explorer and above

HSTS deployment

The way for the server to enable HSTS is: when the client makes a request via HTTPS, the server returns the Hypertext Transfer Protocol response header with the Strict-Transport-Security field. The HSTS field set during non-encrypted transmission is invalid.

The best deployment solution is to deploy it at the location closest to the user. For example, if the architecture has a front-end reverse proxy and a back-end web server, it is best to configure HSTS at the front-end proxy. Otherwise, you need to configure HSTS at the web server layer. If the web server does not explicitly support HSTS, you can add a response header mechanism. If all other methods fail, you can add HSTS at the application layer.

HSTS is easy to enable. Just add the following information to the corresponding header:

 Strict-Transport-Security: max -age=63072000; includeSubdomains;preload;

Strict-Transport-Security is the name of the header field. max-age represents the effective time of HSTS on the client. includeSubdomains means it is effective for all subdomains. preload uses the domain name list built into the browser.

HSTS policy can only be set in HTTPS response, and the website must use the default port 443; the domain name must be used, not the IP. Therefore, HTTP needs to be redirected to HTTPS. If the HSTS header is allowed in the plain text response, a man-in-the-middle attacker can perform a DoS attack by injecting HSTS information into a normal site.

Enabling HSTS on Apache

 $ vim /etc/apache2/sites-available/hi-linux.conf 
 
 # Enabling HSTS requires enabling the headers module
 LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so 
 
 <VirtualHost *:80>
 ServerName www.hi-linux.com
 ServerAlias ​​hi-linux.com
 ...
 #Redirect all visitors to HTTPS to solve the HSTS first visit problem.
  RedirectPermanent/https://www.hi-linux.com/
 </VirtualHost> 
 
 <VirtualHost 0.0.0.0:443>
 ...
 # Enable HTTP Strict Transport Security
  Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"  
 ...
 </VirtualHost>

Restart Apache service

 $ service apche2 restart

Enable HSTS on Nginx

 $ vim /etc/nginx/conf.d/hi-linux.conf 
 
 server {
 listen 443 ssl;
   server_name www.hi-linux.com;
   add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" ;
 ...
 } 
 
 server {
 listen 80;
   server_name www.hi-linux.com;
 return 301 https://www.hi-linux.com$request_uri;
 ...
 }

Restart Nginx service

 $ service nginx restart

IIS Enable HSTS

To enable HSTS on IIS, you need to use a third-party module, for details, please refer to: https://hstsiis.codeplex.com/

Test whether the setup is successful

After the setting is completed, you can use the curl command to verify whether the setting is successful. If the result contains the Strict-Transport-Security field, it means that the setting is successful.

 $ curl -I https://www.hi-linux.com
 HTTP/1.1 200 OK
 Server: nginx
 Date : Sat, 27 May 2017 03:52:19 GMT
 Content-Type: text/html; charset=utf-8
 ...
 Strict-Transport-Security: max -age=63072000; includeSubDomains; preload
 X-Frame-Options: deny
 X-XSS-Protection: 1; mode=block
 X-Content-Type-Options: nosniff
 ...

As for HSTS and HSTS Preload List, it is recommended not to enable them unless you can ensure that HTTPS service will always be provided. Because once HSTS takes effect, old users will be redirected to HTTPS before max-age expires, causing the website to be unable to access correctly. The only way is to change the domain name.