All geek questions in one place

Does the HSTS header really help with MITM attacks?

I read the OWASP HSTS cheat sheet https://www.owasp.org/index.php/HTTP_Strict_Transport_Security#Browser_Support and also watched the related video: https://www.youtube.com/watch?v=zEV3HOuM_Vw

but still, I can’t understand how this helps against man-in-the-middle attacks if the user types in http://site.com. OWASP claims this helps.

Imagine the following scenario: the average person receives a request from a victim: http://site.com. He then launches an HTTPS request at https://site.com and returns the content to the user, removing the HSTS header. All further input is visible to the attacker.

In my opinion, there is no way to protect against MITM if we do not use HTTPS from the very beginning.

Does the HSTS header really help against MITM attacks?

+4
source share
2 answers

HSTS only helps if the user agent has visited the site before and there was no interference from MITM during the first visit. In word order, you are vulnerable when you first visit the site, but never again.

Since you are still vulnerable for the first time, HSTS is far from perfect. But this is better than nothing, because it protects against an attacker who is targeting you AFTER you have already visited the site before.

(Except that the user carefully used https for the first time: in this case they are protected for the first time, and are also protected from forgetting to use https in all subsequent visits.)

+6
source

Firefox is also working on a pre-loaded HSTS list: http://blog.mozilla.org/security/2012/11/01/preloading-hsts/

Browsers typically support HSTS information in some form of implementation-protected secure storage. Of course, with Firefox and Chrome, the code is viewable. See for example https://code.google.com/p/chromium/source/search?q=stsheader&origq=stsheader&btnG=Search+Trunk

+3
source

Source: https://habr.com/ru/post/1445827/

More articles:


All Articles