What is HSTS and How to fix HSTS Related Error ?


👤 Diwas Poudel    🕒 Nov 5 2021    📁 Fix    📜 0 comment


Think if you are in a public location like in a hotel or park and you got a chance to use free Wifi. And if a hacker is in the same network then he/she can use packet sniffing tools and sniff all of the connections going over this public network which might be unsecured and unencrypted HTTP traffic.

Hackers could capture all HTTP traffic if the client is browsing any website which is protected with HTTPS only. Even the hacker can capture the package if the sites are just redirecting from HTTP to HTTPS using 301 permanent redirections. So getting an SSL or TLS certificate and making HTTPS for websites is not enough.HTTPS still has some defects that can be fixed by HSTS.So, it's the role of web developers or IT specialists to use HSTS over just HTTPS. So using HSTS may prevent your sites from SSL stripping man in middle attacks which we will discuss later.

hsts-error-message
fig. HSTS Network Errors Message
💡 This HTTP version of websites is still available even you have used SSL certificates and you have done 301 permanent redirections and hackers can intercept and manipulate the redirections.     

Before going to the topic, let's know about SSL Stripping

What is SSL Stripping?

SSL Stripping is a man-in-the-middle attack.

Suppose you as a client make a request and you usually make a request by skipping the protocol part(ie. with http:// or https://) and you just type for example www.xyz.com instead of https://www.xyz.com. In this case, the web browser will do 301 permanent redirections to the HTTPS version of the XYZ website (if HTTPS is enabled). Then for the next time, the browser will always send HTTPS versions of the websites even if the user types HTTP versions of the same sites.

But for the first time visiting any websites, you will do a GET request using unencrypted HTTP  to the webserver. Since HTTP is unencrypted and can be a man in the middle and someone can intercept it and forward your request to hacker sites using arp poisoning techniques. So, the user gets redirected to hacker sites and when the user enters username and password in hacker sites then user important data gets leaked. So, your first request can have the man in the middle.

So this type of attack is SSL/TLS Stripping Attack. And HSTS is originally created to prevent this first request attack ie. SSL Stripping Attack.

What is HSTS?

HSTS is a mechanism that protects the security of websites from protocol-downgrade attacks(TLS) and cookie hijacking. This HSTS technology was invented to prevent the SSL Stripping attack which is a type of man-in-the-middle attack.

HSTS was originally developed in response to the Moxie Marlinspike vulnerability, which was described at a BlackHat Federal session titled "New Tricks for Defeating SSL in Practice" in 2009. With the use of HSTS, he demonstrates how this vulnerability may be avoided.

How does HSTS prevent SSL Stripping attacks?

Browser (client-side) and Webserver (server-side ) both play a role in preventing SSL Stripping Attacks. 

From the browser perspective:

Every popular browser like chrome, firefox, safari, Opera, IE 11, and edge has created an HTTP Strict Transport Security (HSTS) preload list of the most popular websites like google, youtube, Facebook, and many more. So, even you request google.com (without HTTP or HTTPS protocol ) for the first time, the browser will automatically redirect to the HTTPS version of google.com. Actually what happening is: In the browser preload list there is a list of popular websites. Let say you are using a firefox browser and this browser will maintain the HSTS preloaded list which contains the list of popular sites like google.com, facebook.com, and many more. Suppose you have requested google.com for the first time in the browser URL and then your browser will first look at the internal preload list maintained by browsers and google.com will for sure be in the list and the browser will force you to use HTTPS even on the first request so no hacker can intercept the request and even if the hacker is able to intercept the request then also he/she will not understand what is in the request (hacker does not know what is in the request if send in HTTPS because HTTPS is encrypted form of protocol) because those requests are already sent by the browser in HTTPS. So, even the first request attack got prevented. And also it ensures an end to end encryption.

The only weakness is that the updated list is only available with new browser versions, which makes the update process slow and when you have recently added your domain, there can be no assurance that your websites will already be preloaded.

From the webserver perspective:

As we know that preload list of the browser does not contain a list of every website and web application so the developer roles to maintain HSTS related functionality and add HTTPS on every request even if the client types domain name without protocol. 

On the server side, websites must support HTTPS and must have a Strict Transport Security Header. Now what happens is a client of the website load your site(without protocol) for the first time then the first request will sure request using HTTP protocol and then your site will respond with Strict Transport Security Header and the browser will know that site has maintained HSTS security and so if you make the second request even without protocol, the browser will request for webserver with HTTPS version so now the hacker cannot intercept and no meaning for intercepted data.

Note: Even you have maintained HSTS security by enabling HTTPS and header, the first request is always vulnerable we cannot prevent it. Because your website will not be in the preloaded list.

Simple HSTS header will look like this:

Strict-Transport-Security: max-age:15768000

 15768000 is in second, which is equal to 1 year.

Note, you must communicate with the webserver at least once so that your websites will be added to the HSTS preload list. 

Note,💡 You must communicate with the webserver at least one.

Browser Supporting HSTS 

Browser Version
Internet Explorer  11 and greater
Edge 12 and greater
Firefox 4 and greater
Google Chrome 4 and greater
Safari 7 and greater
Opera 12.1 and greater
IOS Safari 7 and greater
Opera Mini Does not support
Android Browser  4.4 and greater
Chrome for android 80 and greater
Samsung Internet 4 and greater
Baidu Browser  7.2 and greater
KaiOS Browser  2.5 and greater

Source:click here

HSTS Limitation

  • HSTS cannot control any website which supports HTTP protocol only.
  • On the first visit to a website, HSTS is unable to prevent a MITM attack.
  • Doesn't work with Downgrade Attacks(TLS)

Sometimes when you open some websites from one browser and you have encountered a problem like 

Privacy error: Your connection is not private” (NET::ERR_CERT_AUTHORITY_INVALID).

This indicates the website has implemented HSTS. But when you open the same website in another browser then it opens. In this scenario, you have to clear them in browser HSTS settings.

Cause of HSTS Error in Web Browser?

If your website uses the HSTS header, the browser will save header info and you may encounter this error if you try to visit the same website later using HTTP. As a result, as a user, you should either remove your local browser's HSTS settings for the website or wait for the headers to expire, which can be configured as the "max-age" key-value field.

How to fix HSTS Error in Chrome Browser?

If you enter a problem in Google Chrome, then 

  • Open a new tab in Google Chrome
  • Enter chrome://net-internals/#hsts in address bar.
  • Under the “Query HSTS/PKP domain” field enter the domain name without HTTP or HTTPS you wise to delete local HSTS settings

query-hsts-pkp-domain

  • Come to the bottom of the page under "Delete domain security policies" set the domain name without HTTP or HTTPS you are wise to delete its dynamic Domain security policies and click on Delete.

delete-domain-security-policies

Now you have cleared local HSTS settings and you will not get those errors.

How to fix HSTS Error in Mozilla Firefox?

If you enter a problem in Google Chrome, then following below steps:

  • Close any open Tab in Firefox Browser
  • Next, press Ctrl + Shift + H to access your browsing history.
  • Navigate to the site where you want to reset the HSTS settings. In my case, I am searching for quora.com
  • Right-click the site and select Forget About This Site from the drop-down menu. 
  • forget-this-site

How to do the HSTS Test for a Website?

  1. Visit https://gf.dev/hsts-test
  2. Type site name which you want to do HSTS Test
  3. Then look at the report generated by it.

Alternatively, click here and find your sites on that list or not.

Who maintains and runs HSTS preload Service?

Google runs and maintains the preloaded program for HSTS. By following guidelines and adding the HSTS header for your websites successfully, the browser will never use an unsecured HTTP link to connect to your domain. Although Google hosts the service, all browsers supporting HSTS can use the preload list provided by Google.

How to submit site HSTS requests to the preload list?

First, ensure that you follow all preload submission criteria to submit your website to the list:

  • First, make sure that you have a valid SSL Certificate.
  • Redirect all HTTP requests to HTTPS.
  • Include the HSTS header on your website.
  • Use max-age of 1 year or more in the header.
Do I need to implement HSTS on my website?

Ans: If you have a view-only website and the user should have to provide any details then your website does not need to implement HSTS. If you like then you can do it.

Do you encounter HSTS errors on the .dev Website?

Ans: It is google's own domain extension and when you buy the domain with .dev extension then by default HSTS is enabled and your websites will open works with HTTPS. So you have to have an SSL certificate to work with the .dev website.

Are HSTS and Https are same?

Ans: No they are different. You must have valid SSL certificates to get HTTPS for your website and to prevent further HSTS settings must being implemented on your website.