The Strict Transport Security

Published Date: 02 Nov 2017

HSTS is a protocol that forces web sites to be accessed only via HTTPS protocol. It prevents insecure access via the HTTP protocol whether it is malicious or unintentional. It also prevents HTTPS pages with mixed content from being displayed. This protocol, like HTTPS, is transported over SSL (Secured Socket Layer) and the improvement to this, TLS (Transport Layer Security). The Internet Engineering Task Force (IETF) made HSTS protocol a standard only in November 2012. In a HSTS enabled website contains a special header whereby a browser such as Firefox, Opera or Google Chrome receives this header restricts website being accessed via HTTP protocol. It also prevents HTTPS click through prompts on these browsers OWASP,2012. HTTP Strict Transport Security. [online] Available at: https://www.owasp.org/index.php/HTTP_Strict_Transport_Security [Accessed 8th March 2013]. If the website being was developed with HTTPS protocol, enabling the standard is just entering the following text in the header:

Strict-Transport-Security: max-age=expireTime [; includeSubdomains]

The "max-age=expireTime" lets the web browser know the length of time that the particular website can be accessed with HTTPS protocol and is usually quoted in seconds. The "[; includeSubdomains]" string is optional if all there are sub domains on the website being accessed.

According to the IETF (RFC6797, 2012) the HSTS protocol standard was designed to essentially prevent MITM attacks. It addresses threats from Passive Network Attack, Active Network Attacks and careless website development and deployment. However, its shortcomings are shown in the form of Phishing and Malware. In the e-Commerce world, especially in the banking and financial services sector, hackers have used these techniques to elicit personal information from end users. Phishing and malware techniques continue to evolve as hackers seek to new ways of eliciting end users’ personal information. Amit Klein, Chief Technology Officer of Trusteer, a cybercrime prevention company has been highlighted as saying that there are various ways that e-banking institutions can be susceptible to attacks, that is through phishing, malware, pharming and session hijacking as documented by Constantin, Lucian, 2013. Banking malware returns to basics to evade detection, Trusteer says. [online] Available at: http://www.networkworld.com/news/2013/020813-banking-malware-returns-to-basics-266534.html?page=1 [Accessed 9th March 2013]. The latest development in phishing is called "spear phishing" or "targeted phishing" which threaten the online banking industry and the end user. This type of phishing is where emails are sent to specific organisation or end user seeking to elicit personal information. The emails usually disguise themselves as coming from a trusted entity which is personalised specific to gaining end users’ information. Another relatively new method that is gaining some momentum is "in-session phishing". This type of phishing, as written by Higgins, Kelly Jackson, 2009 is when hackers target the end user while banking online with a phony pop-up message pretending to be from the banks. The popup usually ask to retype the end user’s username and password. It would initially give the impression to the end user that their current online banking session has expired and it requires the end user’s credentials to be re-entered, and as easy as that the hacker gains your information. In order for "in-session phishing" to be successful the hacker must have a list of banking websites so that the phony pop-ups could be sent to. These relatively new forms of phishing are sometimes costly and time consuming to the hacker but once an end user is "hooked" the monetary benefits can be huge. Malware techniques have returned to more traditional forms for a hacker, which is just to gain end user credentials, in attempting to circumvent new security mechanisms in place by the banking websites as supported by security firm Trusteer (Constantin, 2013). In the online banking sector Trojans programs continue to be used. However, these Trojans have advanced whereby when executed can tamper real-time transactions and can deploy fake banking websites where end users are prompted to enter their credentials. Another new technique spawned from phishing is "pharming". Unlike phishing, pharming doesn’t use emails to target select users but a tactic used to infect numerous computers. As simply defined by Rouse, 2007 it infects an end-user’s computer by entering redirect on the computer’s host file to the hacker’s rogue website; so anytime attempts are made by the end user to go their banking website they sent to the fake website. Another form of redirection, seen as more malicious is from the Domain Name System (DNS) server side. The DNS server’s host table is modified with rogue websites so anytime an end user tries to access their official banking website they are sent to the fake one. Session-hijacking is also still used. Hackers are able to sniff for the session token used to authenticate to the web server. They then use this session token to gain access to the web server. Some other forms of session-hijacking could come in form of MITM, MITB, Trojans, Java scripts.

Having highlighted the shortcomings of HSTS and analysed how recent advanced variations have affected the online banking sector, it is important to know the sources of attack that threaten to exploit the HSTS inadequacies. Traditional sources such as emails and fake websites continue to be the commonplace choices of attack, however, as evidenced by (Milletary,?) there has been a notable increase in the malicious code that is directed at end user information. These malicious codes usually take pattern in three forms, that is, social engineering, the use of common-based phishing tools and continued ingenuity of the hacker mind. Social engineering preys on end user divulging their personal information through manipulative means influencing their decision making. There has also been an increase in the tools being used such as bots, phishing kits, email relay, attacks on the DNS. Hackers continue to find more devious and ingenious ways of capturing end user personal data. Although end users’ and banking sector may be able to plug a known threat always remember that hackers are always looking for more than one way to get in. Once there is existence of phishing or malware on end users’ systems there web browsing is compromised, regardless if HSTS is in use.

Mechanisms have been developed and placed to protect the end user web browsing experience especially when performing financial transactions. These mechanisms were designed to automatic redirects to HTTPS websites, which is transparent to the end user. Co-developers of the HSTS protocol Barth and Jackson have developed a mechanism called ForceHTTPS, which forces HTTPS websites to enforce greater security over websites. It was designed to deal with any HTTPS errors or web site vulnerabilities as threats. It would force a redirect to a HTTPS but actions deemed as threats would prevent end user ‘click-throughs’ and any further access to the intended website. ForceHTTPS is able to protect a website against pharming if used in conjunction with a phishing defence mechanism, as highlighted by Barth & Jackson, 2009.

Another mechanism development is web browsers developed with HSTS preloaded lists. It’s a list of hosts that want HSTS loaded by default (Keeler, 2012). Mozilla Firefox and Google Chrome work together to formulate this list on their browsers. They search for hosts with HSTS header, inclusive of sub-domains embedded in the browser with an agreed upon large max-age value. Once in compliance it is added to the preload lists. Currently, only Firefox and Chrome have this feature. Safari does not have this feature although it supports HSTS. The other noteworthy web browser Microsoft’s Internet Explorer does not support HSTS at this time.

Online banking in Trinidad & Tobago is fast becoming channel of choice to perform financial transactions. The top four banking institutions were put through a free security assessment from research company Qualys.com. According to their security tests and standards two sites passed with grades A and B, while the other two failed with F grades. All four banking institutions, as illustrated by the results, did support HSTS although they all possessed SSL certificates. A cause for concern is that the two online banking sites failed; one was susceptible to MITM and DoS attacks, the other to a SSL/TLS attack called BEAST (Browser Exploit Against SSL/TLS). The online banking site graded B was also vulnerable to BEAST, however, was generally safe to do transactions. Suffice it to say, the grade A online banking site had little or no remedial action to be taken. (See appendix)

Existing are common HSTS best practices and basic rules of thumb that both the online banking fraternity, and its end users can exercise that can prevent their personal information from getting into the wrong hands. To enjoy the protection benefits of the HSTS the online banking website should have a digital certificate obtained from a trusted root Certificate Authority. When including the HSTS header on banking website must ensure it is over a secure HTTPS channel, that is, SSL/TLS so that when the end user access their banking website via Firefox or Google Chrome web browsers their HSTS policy list remains updated. Additionally any information being included in the protocol response header should be carefully validated, some basic HSTS best practices supported by Araujo & Shah (2012). Due HSTS protocol shortcomings end users and banking institutions need to do their part to protect personal information. A key practice is awareness and education of the latest threats and how they can be mitigated. End users and organisations needs to ensure that their desktop devices have antivirus, antimalware and antispam software installed and update. Additionally, OS patches should be kept up to date. Online banking sites are adopting mechanisms such as strong authentication and user transaction verification. These approaches have been highlighted by (Milletary,?) and Dispensa, 2010.

HSTS protocol initiative would not solve the problem of end user security, but it should be adopted to minimise risk borne by financial institutions and its end users against hackers. Preliminary research has shown that none of the top four online banking websites in Trinidad & Tobago support HSTS, and the failing grades of two of the websites should make the use of this initiative of paramount importance. Although, having detailed what HSTS can help prevent its concern lies in the protocol’s inherent shortcomings of being unable to deal with phishing and malware. However, e-Commerce organisations, web developers and end users have a responsibility to continually educate themselves of existing and new techniques that threaten sensitive information and ways to combat them. Adopting common HSTS best practices and keeping updated with latest tools and software would minimise threats, but again, would not solve the problem.