Friday, 17 March 2017

Understanding HTTP Strict Transport Security (HSTS)


Have you any time tried to visit a site by typing "http://" in your web browser and the site that loads corresponds to "https://". Well it happens a lot of time. A website may support only https - secure connections and browser is smart enough to know this. How? We will see that in a moment.

My use case was for using a proxy to intercept browser traffic. As you know any proxy will intercept traffic and then send it's own certificate to the browser and if browser does not recognize the cert it shows the error -
  • "Your connection is not secure"... SEC_ERROR_UNKNOWN_ISSUER
You may go in Advanced tab and then add exception to start trusting the new certs for your testing. But it is not always possible and well see why?

NOTE : If you are not trying something on your own and dont understand why above prompt came its time to turn back. Your network traffic may be getting intercepted by some hacker using MITM (Man in the middle) attach to steal sensitive data like passwords.

WARNING : All the below information is provided only for the use case of pen testing and other security testing. Please do not use it otherwise. All of the below features are provided for your security. Playing around with it without understanding can compromise your security. So proceed on your own risk.

HTTP Strict Transport Security (HSTS)

As per Wiki,

HTTP Strict Transport Security (HSTS) is a web security policy mechanism which helps to protect websites against protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers (or other complying user agents) should only interact with it using secure HTTPS connections,[1] and never via the insecure HTTP protocol. HSTS is an IETF standards track protocol and is specified in RFC 6797.

How this works is that your webserver eg. Apache or NGINX is configured so that in each response header it sends header corresponding to  HSTS
  • Strict-Transport-Security "max-age=63072000"
max-age is the expiry time. So the HSTS will be applicable till this much time.

NOTE : This is updated every time you visit the site. So if this time period is 2 years them each time you visit the site this will be set for next 2 years.

For eg see below in case of techcrunch -

Working of HTTP Strict Transport Security (HSTS)

Browser once it receives stores this data corresponding to each site. In case of Firefox you can see it as follows -
  1. Type about:support in firefox tab
  2. Click on "Show in Folder". This should open your firefox profile folder.
  3. In this search for a file called SiteSecurityServiceState.txt and open it.
  4. Firefox stored HSTS data for sites in this file.
Steps in screenshots -

NOTE : As mentioned earlier this entry is updated every time you hit the url in your browser. Exception is incognito mode in which case entry from this file is removed once incognito is close. However note that if you have visited the site even once in non incognito mode then the security restrictions will be obeyed even in incognito mode.

Working :
  • This tells browser that every subsequent connection should always be https (secure). So even if you try to access http version of the site browser will convert it to https and proceed. 
    • For eg. You can try hitting "" and it will automatically hit ""
  • Another effect it has it that if this header is set then you cannot add exception for the certificate which does not match the original one (the one browser does not trust). Eg in screenshot below -

NOTE : I am using Zap proxy. You can use any others like Fiddler or Burp. I have written posts on this before you can revisit them if needed.

How to bypass HSTS?

Well now that we know where firefox stores this data it is easy to bypass this. All you have to do is remove the entry from this file. You can probably change the permission of this file so that new entry is not made in it. When tried for techcrunch you can see you can get back option to add certificate exception -

NOTE : For above to work make sure firefox is closed else it can overwrite the file.

NOTE : Above workaround will not work for the well known sites like google since for them the entries are hardcoded into browser code. Please do share if you know of any workaround for this.

NOTE : In the above mentioned file you might also see entries corresponding to HPKP. A HTTP Public Key Pinning (HPKP) header instructs clients to pin a specific public key to a domain. So, if a HPKP-supporting browser encounters a HPKP header, it will remember the specified public key hashes and associate them with that domain. In the future (until the specified max-age timeout expires), the browser will only accept a certificate for that domain if any key in the certificate's trust chain matches one of the associated hashes.

t> UA-39527780-1 back to top