Your browser does not support JavaScript!
http://iet.metastore.ingenta.com
1887

access icon free Analysing HSTS and HPKP implementation in both browsers and servers

© The Institution of Engineering and Technology
Received 15/01/2017, Accepted 09/10/2017, Revised 10/07/2017, Published 12/10/2017

HTTP Strict Transport Security (HSTS) and HTTP Public Key Pinning (HPKP) are two protocols aimed to enforce HTTPS connections and allow certificate pinning over HTTP. The combination of these recent protocols improves and strengthens HTTPS security in general, adding an additional layer of trust and verification. In addition, they help ensure that the connection is always ciphered and correctly authenticated. However, during the process of adoption and implementation of any protocol that is not yet completely settled, the possibility of introducing new weaknesses, opportunities or attack scenarios arises. Even when these protocols are implemented, bad practices prevent them from actually providing the additional security they are expected to provide. In this study, the authors review not just the quantity but the quality (according to several criteria) of the implementation in both servers and most popular browsers and report on some possible attack scenarios that the authors have discovered.

Inspec keywords: online front-ends; transport protocols; public key cryptography; Internet; cryptographic protocols; computer network security

Other keywords: verification layer; servers; trust layer; HSTS implementation analysis; HPKP implementation analysis; HTTP strict transport security; HTTP public key pinning; certificate pinning; HTTPS connections; HTTPS security; browsers

Subjects: Data security; Protocols; Computer communications; Cryptography; Search engines; Information networks; Other computer networks; Protocols

References

    1. 1)
      • 32. ElevenPaths: ‘PinPatrol’. Available at: https://addons.mozilla.org/es/firefox/addon/pinpatrol/. https://chrome.google.com/webstore/detail/pinpatrol/jenmooahjheolakpacikdlloalfaihef/.
    2. 2)
      • 11. Langley, A.: ‘Further improving digital certificate security. Google Security Blog’ (2013). Availabe at: https://security.googleblog.com/2013/12/further-improving-digital-certificate.html.
    3. 3)
      • 8. Paul, I.: ‘Firefox add-on firesheep brings hacking to the masses’. PCWorld (2010).
    4. 4)
      • 15. Loesch, C.: ‘Certificate patrol’. Available at: https://addons.mozilla.org/es/firefox/addon/certificate-patrol/.
    5. 5)
      • 30. Bugzilla: ‘Bugzilla@Mozilla’ (2014). Available at: https://bugzilla.mozilla.org/show_bug.cgi?id=775370.
    6. 6)
      • 19. Holz, R., Riedmaier, T., Kammenhuber, N., et al: ‘X.509 forensics: detecting and localising the SSL/TLS men-in-the-middle’. ESORICS, Pisa, Italy, September 2012, vol. 7459, pp. 217234. Available at: https://pki.net.in.tum.de/node/13.
    7. 7)
      • 29. Monica: ‘Firefox 32 supports public key pinning’ (2014). Available at: http://monica-at-mozilla.blogspot.de/2014/08/firefox-32-supports-public-key-pinning.html.
    8. 8)
      • 34. Deveria, A.: ‘Can I use HSTS?(2015). Available at: http://caniuse.com/#search=HSTS.
    9. 9)
      • 27. Internet Engineering Task Force (IETF): ‘Public key pinning extension for HTTP’. RFC 7469 (2015). Available at: https://tools.ietf.org/html/rfc7469.
    10. 10)
      • 21. Kranch, M., Bonneau, J.: ‘Upgrading HTTPS in mid-air: an empirical study of strict transport security and key pinning’. Network and Distributed System Security Symposium (NDSS)’, San Diego, California, February 2015.
    11. 11)
      • 25. IETF: IETF. Available at: https://www.ietf.org/.
    12. 12)
      • 5. Bhargavan, K., Delignat-Lavaud, A., Fournet, C., et al: ‘Triple handshakes and cookie cutters: breaking and fixing authentication over TLS’. IEEE Symp. Security and Privacy, San Jose, California, May 2014.
    13. 13)
      • 26. Internet Engineering Task Force (IETF): ‘HTTP strict transport security (HSTS)’. RFC 6797 (2012). Available at: https://tools.ietf.org/html/rfc6797.
    14. 14)
      • 18. Marlinspike, M.: ‘Convergence (2011)’. Available at: http://convergence.io/.
    15. 15)
      • 6. Jia, Y., Chen, Y., Dong, X., et al: ‘Man-in-the-browser-cache: persisting HTTPS attacks via browser cache poisoning’, Comput. Secur., 2015, 55, pp. 6280.
    16. 16)
      • 22. Selvi, J.: ‘Bypassing HTTP strict transport securityBlackHat Europe, 2014.
    17. 17)
      • 20. Garron, L., Bortz, A., Boneh, D.: ‘The state of HSTS deployment: a survey and common pitfalls(2014).
    18. 18)
      • 33. Deveria, A.: ‘Can I use public key Pinning(2015). Available at: http://caniuse.com/#feat=publickeypinning.
    19. 19)
      • 4. Codenomicon: ‘The heartbleed bug’. ekoparty, Buenos Aires, Argentina, September 2014.
    20. 20)
      • 23. Yan: ‘Weird new tricks for browser fingerprinting(2015). Available at: https://zyan.scripts.mit.edu/presentations/toorcon2015.pdf.
    21. 21)
      • 9. Mandalia, R.: ‘Security breach in CA networks-comodo, digiNotar, globalSign’. ISC2 Blog (2012). Availabe at: http://blog.isc2.org/isc2_blog/2012/04/test.html.
    22. 22)
      • 17. Engert, K.: ‘Conspiracy. An add-on for Mozilla Firefox to give additional information when visiting secured sites (2010)’. Available at: http://kuix.de/conspiracy/.
    23. 23)
      • 24. Nishimura, M.: ‘Appended period to hostnames can bypass HPKP and HSTS protections’. Available at: https://www.mozilla.org/en-US/security/advisories/mfsa2015-13/.
    24. 24)
      • 1. Rizzo, J., Duong, T.: ‘BEAST’. Ekoparty, Buenos Aires, Argentina, September 2011.
    25. 25)
      • 14. Wendlandt, D., Andersen, D., Perrig, A.: ‘Perspectives: improving SSH-style host authentication with multi-path probing (2008)’. Available at: http://static.usenix.org/event/usenix08/tech/full_papers/wendlandt/wendlandt_html/.
    26. 26)
      • 7. Marlinspike, M.: ‘New tricks for defeating SSL in practice’. BlackHat (2009). Availabe at: http://www.thoughtcrime.org/software/sslstrip/.
    27. 27)
      • 28. Deveria, A.: ‘Can I use strict transport security?’ (2016). Available at: http://caniuse.com/#feat=stricttransportsecurity.
    28. 28)
      • 31. Mozilla: ‘Mozilla Code’ (2014). Available at: https://dxr.mozilla.org/comm-central/source/mozilla/security/manager/ssl/nsSiteSecurityService.h.
    29. 29)
      • 2. Möller, B., Duong, T., Kotowicz, K.: ‘This POODLE bites: exploiting the SSL 3.0 fallback’ (2014). Available at: https://www.openssl.org/~bodo/ssl-poodle.pdf.
    30. 30)
      • 12. Hoffman, P.: ‘The DNS-based authentication of named entities (DANE). Transport Layer Security (TLS) Protocol: TLSA’. Available at: https://www.rfc-editor.org/rfc/rfc6698.txt.
    31. 31)
      • 10. Langley, A.: ‘Maintaining digital certificate security. Google Security Blog’ (2014). Availabe at: https://security.googleblog.com/2014/07/maintaining-digital-certificate-security.html.
    32. 32)
      • 13. Marlinspike, M., Perrin, T.: ‘Tacks’. Available at: http://tack.io/draft.html.
    33. 33)
      • 16. Soghoian, C., Stamm, S.: ‘Certified lies: detecting and defeating government interception attacks against SSL’. 15th Int. Conf. Financial Cryptography and Data Security, Gros Islet, St. Lucia, 28 February – 4 March 2011.
    34. 34)
      • 3. Rizzo, J., Duong, T.: ‘The CRIME attack’. Ekoparty, Buenos Aires, Argentina, September 2012.
http://iet.metastore.ingenta.com/content/journals/10.1049/iet-ifs.2017.0030
Loading

Related content

content/journals/10.1049/iet-ifs.2017.0030
pub_keyword,iet_inspecKeyword,pub_concept
6
6
Loading
Print this page
This is a required field
Please enter a valid email address