Jump to content

Hacking HTTP Strict Transport Security (HSTS)


Recommended Posts

Hi guys,

On my blog I wrote a post about MitM attack using SSLStrip + arpspoof. It's in Italian so I don't know if u can undestand:


Other than the actual attack (which is very well known) I focused on the HSTS policy and how it is useful to prevent such attacks.

Do you known any successful attempt to break such security policy?

Poisoning the DNS cache of the target host could lead to a scenario in which the target browser goes to a fake domain, receive a forged HTTP header with a max-age value of zero:

Strict-Transport-Security: max-age=0; includeSubDomains

and then get redirected to the real site.

The HSTS RFC says that browser SHOULD ignore the HSTS header when in HTTP mode but maybe this very specific check was not implemented on all browser.

Link to comment
Share on other sites

From what I understand typical cache poisoning doesn't work because not only is a domain looked up to find the ip address, a reverse DNS lookup is also performed on that IP which must return the same domain name. Failing that, no SSL connection will be established. I don't believe the reverse lookups are cached, so you have a challenge there.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...