All geek questions in one place

Protecting your web server from MITM attacks in Safari

I was looking for a way to make sure my web server is protected from humans in a medium attack. It seems that Google Chrome and Firefox are working to block requests on my server, even if I choose promotion after a security warning. I am testing this using Charles Proxy to intercept Https traffic without trusting Charles Cert on my Mac.

When I run the same tests with Safari, this will let me pass if I prefer to ignore the safe warning that I expect from a certain number of users. It seems like Safari needs more settings to block traffic. I know this is possible because when I try to go to github.com with the same script, I get the following message:

Safari can not open

Does anyone know what GitHub does to block Safari traffic on an untrusted connection?

+2
source share
1 answer

It seems Safari supports HSTS and that github uses it. Their HTTP response contains the following header:

Strict-Transport-Security:max-age=31536000; includeSubdomains; preload

Thus, a browser that supports HSTS knows that in the foreseeable time this site should be visited only using https, and any attempts to use http will be automatically updated by the browser.

In addition to the base HSTS, which only works after the first visit to the github site, the preload directive is also added. This tells browser developers that github likes to be included in the preloaded HSTS list that comes with browsers, so the browser uses HSTS even if the site has never been visited before by the user. See HSTS Preloading for more information.

+2
source

Source: https://habr.com/ru/post/1246247/

More articles:


All Articles