HSTS Error Pages & Some Vulnerabilities

-

1. Problem

Can not access to test server after setting HSTS header. Error pages are as below(※ in FireFox).

※ error message
This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox may only connect to it securely
※ error message
接続中止: 潜在的なセキュリティ問題


2. Why this happened

Happened because SSL Certification is different between test server and production server in same domain(ex. www.sample.com)

HSTS caching SSL certificate data

HSTS enforce HTTPS(using SSL, prevent HTTP) and caching SSL certificate data. Within max-age time, browser has cached data.

Same domain with different certificate data

First, access to production server with HTTPS and caching SSL certificate data.
Second, try to access test server(STG) with cached data but failed because SSL certificate data is different from production server and test server.


3. Solution

Delete browser cache then access again. Or use same SSL certification in both test server and production server.


※ HSTS always safe?

Why we set HSTS

Set HSTS for preventing URL hijacking because it enforce HTTPS.
Many site set redirect setting in their server. When user access by HTTP then redirect it to HTTPS. In redirect process, someone can hijack HTTP request then return to fishing site with HTTPS.

First access can be problems

First access using HTTP(in step 1) has no HSTS header yet. So URL hijack can be happened.
Second access using HTTP has no problems because HSTS already set in first access. When user try to use HTTP, browser with HSTS prevent this access then enforce to use HTTPS.

reference

https://www.thesslstore.com/blog/clear-hsts-settings-chrome-firefox/
https://www.globalsign.com/en/blog/what-is-hsts-and-how-do-i-use-it/
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
https://opentutorials.org/course/228/4894
https://wayhome25.github.io/cs/2018/03/11/ssl-https/

Comments

Post a Comment

Popular posts from this blog

Tame Your Files Using Pipe Command

-
Image
Overview Can use "Unix pipes" when checking access logs or making new files from other files. Why have to use pipes? No additional software required → good for making common manual Using other tools can make mistake → miss in copy&paste when using Excel In Access Logs You may want to know how many users access to your site. 1. Sample access logs are as below. 2. Then can use pipes as below. grep -v "HOME" : Exclude access from HOME(ex. redirect access from application itself) cut -d' ' -f1,7,11,12 : Considered space as a field delimiter then print fields in 1, 7, 11, 12 sort | uniq -c : Sorting then count the unique rows. Have to "sort" before "uniq" because "uniq" only check unique in consecutive values. sort -nr : sort by number in reverse order In CSV Files Business team give you an csv files that including delivery information then said "We want to give free delivery to users ...
Read more