I do understand that it is a good security measure to implement HSTS, because it

Question

I do understand that it is a good security measure to implement HSTS, because it will reduce the number of incidents.

Statement 1: If clients IO traffic goes through MITM from the start, can the attacker can just strip Strict-Transport-Security header, even from initial HTTPS connection?

I'm aware of the pre-defined HSTS lists that browsers are implementing. This measure does not cover all sites/browsers.

Statement 2: Attacker can pass Strict-Transport-Security: max-age=0 header at any time, and disable HSTS.

If both of these are true, or even number 2 alone, HSTS seems pretty useless. It can't be that easy, where am I wrong?

Explanation / Answer

Statement 1: There should be no header for an attacker to strip since sending it over HTTP is useless. No idea why someone would send it over HTTP. And if the attacker has certificates that the client trust so a HTTPS connection will be established, then HTTPS won't bother the attacker. A connection over HTTP is still vulnerable, HSTS won't change this. It will transparently switch from HTTP to HTTPS if a valid HSTS entry exists.

Statement 2: Again, a browsers should only act on HSTS headers sent over a HTTPS connection. If the attacker can send that header (s)he won't be bothered by HTTPS.

Anyway, Defense in Depth! Which is why I do not think that HSTS is useless. If you immediately upgrade every HTTP connection to an HTTPS connection using redirects your users can be vulnerable a lot over the course of a year! Compare that to the initial connection when using HSTS and a browser that supports it!

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.