Protocols

December 23, 2009

New rev of Strict Transport Security (STS) Specification

Hi, Jeff Hodges here.

I have pushed out a new rev (-06) of the Strict Transport Security (STS) Specification, with changes derived from feedback from various folks. This message (HERE) discusses the more major changes.

Note that STS discussion has now moved to the public-web-security@w3.org mailing list (from the public-webapps@w3.org list).

There is also a wiki page on which public-web-security@ denizens are working on coalescing various facets of web security, http://www.w3.org/Security/wiki/Main_Page, (including a page on STS).

Posted at 01:13 PM in Browsers, Protocols, Web/Tech | | Comments (0) | TrackBack (0)

December 10, 2009

Strict Transport Security presentation

Hi, Jeff Hodges here.

This evening, I'll be presenting on Strict Transport Security at iSEC Partners' iSEC Open Security Forum. My presentation is HERE. It provides a succinct STS overview and a brief status report on where we are with the effort.

Posted at 02:57 PM in Browsers, Protocols, Web/Tech | | Comments (0) | TrackBack (0)

November 06, 2009

Announcing Strict-Transport-Security Support on www.paypal.com

Hello, Andy Steingruebl here.

I'm pleased to announce that PayPal is the first major internet site to implement the draft Strict-Transport-Security standard.  As of Friday November 6th, 2009 PayPal is supporting the Strict-Transport-Security (STS) mode on our main website, https://www.paypal.com.

As we published back in September when we released the jointly developed spec, STS allows a site to override a web browser's normal protocol preference for HTTP, and instead tells the web browser to convert all attempts to access a given site to use HTTPS.  The draft spec is here.

A few small caveats.

  1. Right now we're just supporting this on https://www.paypal.com, not any of our other sites.
  2. We've launched with a very small max-age parameter for testing purposes.  We expect that after more extensive testing we will deploy with a much larger max-age value to provide more robust protection for users.
  3. This feature is currently supported in the NoScript and ForceTLS extensions for Firefox, and Chrome-4 (currently in beta). We expect other browsers to add the feature in the future.

Posted at 01:31 PM in Protocols, Web/Tech | | Comments (0) | TrackBack (0)

September 24, 2009

Strict Transport Security (STS) for Web Browsers

Many (most?) of us, when accessing a "secure" web site, have at one time or another been presented with a browser dialog indicating something isn't quite right with the site's certificate, and offering the ability to ignore the issue and proceed. Sometimes proceeding is not a good idea because it may lead to a man-in-the-middle attack.

Collin Jackson and Adam Barth present the details of such situations, as well as a means to remediate them, in their paper ForceHTTPS: Protecting High-Security Web Sites from Network Attacks. Essentially, ForceHTTPS enables a server to signal to browsers that it wishes to be interacted with only over secure transport, e.g. TLS/SSL. Part of the idea here is if the user enters, say, "http://www.paypal.com", the browser will rewrite it as "httpS://www.paypal.com/", and initiate the HTTP connection over secure transport. Another aspect is that if there are any certificate errors upon secure transport establishment, the connection will simply fail and the user won't be presented the opportunity to "click through" warnings.

Now, working with Collin and Adam, we've produced a refinement in the form of a HTTP Header Field specification entitled Strict Transport Security (STS). We're talking with the W3C about standardizing it there. There are already two Firefox extensions implementing it, Giorgio Maone's NoScript, and Sid Stamm's ForceTLS. Both Giorgio and Sid have blog entry's concerning STS, too: 

Additionally, Google Chrome has STS functionality implemented and it is working its way through the development channel process.

We (PayPal) are excited by the positive feedback we're receiving and the implementation work. We're looking forward to having our customer's security improved.

Submitted by Jeff Hodges.

Posted at 02:16 PM in Browsers, Protocols, Web/Tech | | Comments (0) | TrackBack (0)

March 09, 2009

Socket Capable Browser Plugins Result In Transparent Proxy Abuse

We're pleased to announce the availability of 'Socket Capable Browser Plugins Result In Transparent Proxy Abuse'. This document outlines the abuse case in CERT's VU #435052 advisory published last month.

Abstract

"Transparent proxies allow organizations to influence and monitor the traffic from its users without their knowledge or participation. Transparent proxies act as intermediaries between a user and end destination, and aren't generally apparent to users sitting behind them. Enterprises, Hotels, and Internet Service Providers often use transparent proxy products to lower bandwidth consumption,speed up page loads for their users, and for monitoring and filtering of web surfing. When certain transparent proxy architectures are in use an attacker can achieve a partial Same Origin Policy Bypass resulting in access to any host reachable by the proxy via the use of client plug-in technologies (such as Flash, Applets, etc) with socket capabilities. This write up will describe this architecture, how it may be abused by Flash, its existence in various network layouts, and mitigations."

Download Paper: http://www.thesecuritypractice.com/the_security_practice/TransparentProxyAbuse.pdf

CERT Advisory: http://www.kb.cert.org/vuls/id/435052

Posted at 04:32 PM in Protocols | | Comments (4) | TrackBack (0)

Archives

More...

Categories

Pages

About

Add me to your TypePad People list
Subscribe to this blog's feed
AddThis Social Bookmark Button

Blog Roll