HSTS-Enforced
Enhancing HTTP Strict Transport Security through Secure-by-Default Principles
A.J. van Diepen (TU Delft - Electrical Engineering, Mathematics and Computer Science)
F.A. Kuipers – Mentor (TU Delft - Electrical Engineering, Mathematics and Computer Science)
G. Smaragdakis – Graduation committee member (TU Delft - Electrical Engineering, Mathematics and Computer Science)
A. Zapletal – Graduation committee member (TU Delft - Electrical Engineering, Mathematics and Computer Science)
More Info
expand_more
Other than for strictly personal use, it is not permitted to download, forward or distribute the text or part of it, without the consent of the author(s) and/or copyright holder(s), unless the work is under an open content license such as Creative Commons.
Abstract
Over the years, the web has slowly been moving towards more security. This is done to ensure integrity, authenticity, and confidentiality of the communication between clients and servers. The most significant improvement to the security on the web has been HTTPS, which provides secure communication using encryption. However, downgrade attacks can bypass HTTPS entirely by reverting the communication to the insecure HTTP protocol. HSTS is the primary defense against such attacks. However, previous research has uncovered numerous vulnerabilities in the HSTS protocol, particularly those that allow attackers to disable HSTS by invalidating its state and a method that uses HSTS headers to enable websites to track users.
In this thesis, we present HSTS-Enforced, an alternative to traditional HSTS. HSTS-Enforced effectively prevents downgrade attacks by employing a Secure-by-Default approach. Website administrators can explicitly opt out of security by specifying an HTTP-Required indicator. We propose two indicators: a new DNSSEC record and the HTTP-Required Preload list.
We demonstrate the effectiveness of HSTS-Enforced, through the creation and validation of a protocol implementation encompassing both client and server-side components. Our evaluation reveals that HSTS-Enforced eliminates the vulnerabilities found in conventional HSTS. Additionally, we show that while enhancing security, HSTS-Enforced imposes a minimal load on all involved components (i.e., client, network, and server).