With just 5 percent of web servers correctly implementing HTTP Strict Transport Security (HSTS), the remaining 95 percent are vulnerable to trivial connection hijacking attacks, research shows.
As Netcraft’s Paul Mutton explained in a recent blog post, these vulnerabilities can be exploited in phishing, pharming and man-in-the-middle (MiTM) attacks when a user unintentionally attempts to access a secure site via HTTP, meaning that the attacker does not have to spoof a valid TLS certificate to be successful.
These attacks are easier to be carried out compared to those targeting TLS, such as the DROWN attack. TLS certificates allow browsers to verify that they communicate with the correct websites, thus making it difficult to hijack the connection. MiTM attacks against HTTPS services are difficult to carry out because the attacker can’t easily obtain a valid certificate for a domain they do not control and the victim receives a warning message from the browser if an invalid certificate is used.
However, 95 percent of the HTTPS servers out there lack HSTS, which renders them vulnerable to pharming and man-in-the-middle attacks. What’s interesting to note is that the implementation of HSTS remained stuck at 5 percent for a long time, although it was introduced over three years ago.
Websites that do not implement an HSTS policy can be attacked when users inadvertently end up connecting via HTTP instead of HTTPS or when a site offers both protocols. Some websites also run an HTTP service to redirect users to the corresponding HTTPS site, which further exposes them to man-in-the-middle attacks if there is no HSTS policy in force.
The issue has been revealed before, and David Holmes, an evangelist for F5 Networks, explained in October 2015, that such a scenario would allow an attacker to intercept user’s session and ensure that the browser doesn’t receive HTTPS redirects.
Mutton says that even websites that use HTTPS exclusively are vulnerable to MiTM when the victim manually types the URL without prefixing it with https://, because the browser attempts an unencrypted HTTP connection in the first place. Thus, the request can be hijacked and the attacker can eavesdrop as the connection is relayed to the genuine secure site.
On Websites with an appropriate HSTS policy in place, the site’s header instructs the browser to connect only over HTTPS, thus keeping the user safe. Even if the user connects to a HTTPS server by manually typing the link, the browser will use the secure connection, Holmes explained.
Combining HSTS and HTTPS offers good protection against MiTM attacks, Mutton says, while other types of attacks, such as cookie injection and session fixation, can be prevented by adding subdomains to the HSTS policy. This, however, applies only if all subdomains support HTTPS for the duration specified by the max-age parameter, otherwise users will be locked out of these subdomains.
Although HSTS is an important security feature, users would still be exposed to MiTM attacks if they never before visited the site, reinstalled their operating system and/or their browser, switched to a new browser or device, deleted the browser's cache, or haven’t visited the site within the max-age period.
For that, website owners can use HSTS Preloading, designed to make sure that the site's HSTS policy is distributed before customer's first visit. Google, which is an avid HTTPS promoter, maintains a HSTS Preload list which allows site admins to request this feature, as long as the site has a valid certificate, redirects all HTTP traffic to HTTPS, and serve all subdomains over HTTPS.
Mutton also notes that, although HSTS is widely supported (nearly all modern browsers support it, including Internet Explorer 11, Microsoft Edge, Firefox, Chrome, Safari and Opera), it is not widely implemented. With 95 percent of websites having yet to enable the feature, users are vulnerable if the attacker can hijack their web traffic.
As Holmes explained last year, there are few legitimate reasons for which HSTS has seen such low adoption, and all might be nothing more than an awareness issue. The good news, however, is that many top global sites have already adopted the security feature.
“Implementing an HSTS policy is very simple and there are no practical downsides when a site already operates entirely over HTTPS. This makes it even more surprising to see many banks failing to use HSTS, especially on their online banking platforms. This demonstrates poor security practices where it matters the most, as these are likely to be primary targets of pharming attacks,” Mutton concludes.