Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Does HSTS header really help against MITM attacks?

I've read OWASP's HSTS cheat sheet at https://www.owasp.org/index.php/HTTP_Strict_Transport_Security#Browser_Support and also watched the related video: https://www.youtube.com/watch?v=zEV3HOuM_Vw

but still I can't understand how this helps against man-in-the-middle attacks in case of user typing http ://site.com. OWASP claims it helps.

Let's imagine the following scenario: the middle man gets request from victim: http ://site.com. Then he fires HTTPS request himself to https ://site.com and returns content to the user, stripping the HSTS header. All further user input is visible to the attacker.

In my mind, there's no way to protect against MITM unless we're using HTTPS from the beginning.

Does HSTS header really help against MITM attacks?

like image 557
Andrey Avatar asked Jan 15 '23 01:01

Andrey


2 Answers

HSTS helps only if the user agent has visited the site before and there was no interference from a MITM at the time of the first visit. In order words, you are vulnerable the first time you go to the site, but never again.

Since you are still vulnerable the first time, HSTS is far from perfect. But it's better than nothing, since it does protect from an attacker who targets you AFTER you have already visited the site before.

(Except if the user was careful to use https the first time: in that case they are protected the first time and also protected against forgetting to use https on all subsequent visits.)

like image 80
Celada Avatar answered Jan 21 '23 20:01

Celada


Firefox is also working on an HSTS preloaded list: http://blog.mozilla.org/security/2012/11/01/preloading-hsts/

The browsers typically maintain the HSTS information in an implementation-dependent secure store of some form. Of course with Firefox and Chrome the code is browseable. See for example https://code.google.com/p/chromium/source/search?q=stsheader&origq=stsheader&btnG=Search+Trunk

like image 22
equalsJeffH Avatar answered Jan 21 '23 21:01

equalsJeffH