Proton
Per RSS abonnieren

Summary of HSTS Support in Modern Browsers

Proton Team

diese Seite teilen

HTTP Strict Transport Security (HSTS) is a web security policy that is made to protect secure HTTPS websites against downgrade attacks that is used to perform Man in the middle attacks. “Once a supported browser receives this header that browser will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS. It also prevents HTTPS click through prompts on browsers”[1].

HSTS support

The downgrade attack can occur when the user request a website in HTTP. When the user requested in HTTP:// URL, the server redirects the user to a secure HTTPS:// URL. Without HSTS, an attacker in the same network is able to stop the user from using the HTTPS version of the site and forcing the user to use the HTTP version, where the attacker is able to control user’s data and hijack the user’s session.

The HTTPS stripping attack that relates to the unuse of HSTS policy can be done via open-source tools, such as SSLStrip by Moxie Marlinspike. The tool has been publicly released on February 2009, and since then many browsers and websites have mitigated the issue.

Preventing the issue should be from two sides: the website, and the client. The website has that is already using HTTPS should apply HSTS policy to prevent the attack. The client has to use an updated version that supports HSTS policy.

The current advisory is tend to inform users that there is still modern browsers that do not support HSTS policy until today.

The following browsers supports HSTS policy (latest versions of browsers):

  • Google Chrome
  • Mozilla Firefox
  • Microsoft Edge
  • Safari for OSX
  • Opera
  • Ghostery
  • TOR Browser

The following browsers do not support HSTS policy:

  • Internet Explorer (all stable versions do not support HSTS. Only Microsoft Edge and Internet Explorer 10 Technical Preview support it)
  • Android Browser ( All versions upto 4.4.2 do not support HSTS policy. Newer versions might not be supporting it too)
  • Opera Mini (all versions, including Opera Mini 8)
  • Maxthon browser
  • UC browsers (including UC browser, UC mini, UC browser HD)
  • Opera for Android

Testing Browsers for MITM attacks due to Lack of HSTS policy:

You can follow the instructions in the following link to check if the browser supports HSTS policy.

http(neues Fenster)://(neues Fenster)www(neues Fenster).(neues Fenster)thoughtcrime(neues Fenster).(neues Fenster)org(neues Fenster)/(neues Fenster)software(neues Fenster)/(neues Fenster)sslstrip(neues Fenster)/(neues Fenster)

Recommendations:

  • Always use the latest version of browsers
  • If you are concerned about your security, do not use a browser that does not support HSTS policy.
  • If you are using a browser that is not listed above, you should test if it supports HSTS policy, and if it does not support it, you should stop using it.

Notes:

  • Even if the website is using the maximum SSL encryption possible, if the client’s browser does not support HSTS, the client is vulnerable to man in the middle attacks.
  • If the client made an initial request to the website in HTTP, an attacker can manipulate the response to uninclude the HSTS header, and would be able to perform MITM attacks too. Therefore, if you are making an initial request to secured site, you should request it in HTTPS to avoid HTTPS stripping that leads to MITM attacks.

The list might be updated for newer information. If there is a mistake on the list, you can contact me to correct it.

References:

http(neues Fenster)://(neues Fenster)en(neues Fenster).(neues Fenster)wikipedia(neues Fenster).(neues Fenster)org(neues Fenster)/(neues Fenster)wiki(neues Fenster)/(neues Fenster)HTTP(neues Fenster)_(neues Fenster)Strict(neues Fenster)_(neues Fenster)Transport(neues Fenster)_(neues Fenster)Security(neues Fenster) [1]

http(neues Fenster)://(neues Fenster)caniuse(neues Fenster).(neues Fenster)com(neues Fenster)/#(neues Fenster)feat(neues Fenster)=(neues Fenster)stricttransportsecurity(neues Fenster)

https(neues Fenster)://(neues Fenster)www(neues Fenster).(neues Fenster)owasp(neues Fenster).(neues Fenster)org(neues Fenster)/(neues Fenster)index(neues Fenster).(neues Fenster)php(neues Fenster)/(neues Fenster)HTTP(neues Fenster)_(neues Fenster)Strict(neues Fenster)_(neues Fenster)Transport(neues Fenster)_(neues Fenster)Security(neues Fenster)

http(neues Fenster)://(neues Fenster)blogs(neues Fenster).(neues Fenster)msdn(neues Fenster).(neues Fenster)com(neues Fenster)/(neues Fenster)b(neues Fenster)/(neues Fenster)ie(neues Fenster)/(neues Fenster)archive(neues Fenster)/2015/02/16/(neues Fenster)http(neues Fenster)(neues Fenster)strict(neues Fenster)(neues Fenster)transport(neues Fenster)(neues Fenster)security(neues Fenster)(neues Fenster)comes(neues Fenster)(neues Fenster)to(neues Fenster)(neues Fenster)internet(neues Fenster)(neues Fenster)explorer(neues Fenster).(neues Fenster)aspx(neues Fenster)

https(neues Fenster)://(neues Fenster)developer(neues Fenster).(neues Fenster)mozilla(neues Fenster).(neues Fenster)org(neues Fenster)/(neues Fenster)en(neues Fenster)(neues Fenster)US(neues Fenster)/(neues Fenster)docs(neues Fenster)/(neues Fenster)Web(neues Fenster)/(neues Fenster)Security(neues Fenster)/(neues Fenster)HTTP(neues Fenster)_(neues Fenster)strict(neues Fenster)_(neues Fenster)transport(neues Fenster)_(neues Fenster)security(neues Fenster)

http(neues Fenster)://(neues Fenster)www(neues Fenster).(neues Fenster)chromium(neues Fenster).(neues Fenster)org(neues Fenster)/(neues Fenster)hsts(neues Fenster)

http(neues Fenster)://(neues Fenster)www(neues Fenster).(neues Fenster)thoughtcrime(neues Fenster).(neues Fenster)org(neues Fenster)/(neues Fenster)software(neues Fenster)/(neues Fenster)sslstrip(neues Fenster)/
(neues Fenster)

About the Author

Mazin Ahmed is an information security specialist with experience in web-application security and mobile application security. Mazin is passionate about information security and has reported vulnerabilities which have been acknowledged by various companies, such as Facebook, Twitter, Linkedin, and Oracle to name a few. Mazin is part of Proton Mail’s security group, an independent panel of experts who audit Proton Mail releases on a voluntary basis. You can reach him via Twitter @mazen160(neues Fenster), and read more about him by visiting his website(neues Fenster).

Schütze deine Privatsphäre mit Proton
Kostenloses Konto erstellen

Verwandte Artikel

how to create a business email account
en
This article explains how to create a business email account that’s secure by default using Proton Mail.
A cover image for a Proton blog about how to safely share your wifi password - image shows a wifi symbol with a button saying 'share' with a key symbol
en
  • Privatsphäre-Richtlinien
How to share your Wi-Fi password securely and effortlessly
Is it safe to share Wi-Fi passwords in a text? Here’s how to share your Wi-Fi password easily and securely on any device, from any location.
A Proton blog cover image showing a phone screen with an empty one time password code field
en
  • Privatsphäre-Richtlinien
What is a one time password?
One time passwords are a common method for authenticating your identity – are they safe? We explain what they are and how to use them safely.
en
In response to popular demand, our privacy-first AI writing assistant Proton Scribe is now available for free on our Duo and Family plans, in nine different languages.
en
  • Privatsphäre-Richtlinien
How does Bitcoin work?
It’s easy to understand Bitcoin if you know a few simple concepts. This article explains how Bitcoin works and how to start using it.
A collection of images demonstrating the in-product experience for Proton Drive cloud storage for Business
en
  • Für Unternehmen
  • Produkt-Updates
  • Proton Drive
Proton Drive now offers secure cloud storage and docs editor for businesses
Proton Drive provides private and secure file sharing, document editing, and cloud storage for businesses of all sizes. Take control of your company's data.