From e742d735dbb85e5e9148b906faa240cf249a7ad8 Mon Sep 17 00:00:00 2001 From: Ward Wouts Date: Mon, 20 Jan 2020 16:12:58 +0100 Subject: [PATCH] update --- index.html | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/index.html b/index.html index 0485679..6d39632 100644 --- a/index.html +++ b/index.html @@ -401,14 +401,18 @@ These kind of checks are called certificate pinning. .right-column[ Back to the MitM scenario. Traditionally when I type a URL in my browser the first thing that happens is an insecure HTTP request for the URL. With a bit of luck the browser then gets redirected to the safe HTTPS version. An attacker that can use a MitM attack on the connection can prevent this redirect. -For this reason HSTS (Hypertext Strict Transport Security) has been invented. This let's a website state "always use HTTPS to connect to me". Which the browser will remember, so don't let those certificates expire. +For this reason HSTS (Hypertext Strict Transport Security) has been invented. This let's a website state "always use HTTPS to connect to me". Which the browser will remember. So don't let those certificates expire. + +Protocols of this type are called Trust On First Use (TOFU). This is a pretty bad idea, but it's better than nothing at all. ] --- .left-column[ ## HSTS preloading ] .right-column[ -The big problem with HSTS is that it only helps after visiting the target website for the first time. If an attacker can MitM the first connection they can prevent the HTTPS from ever being used and the HSTS header from ever being set. To counter this HSTS preloading was invented. This is a mechanism where sites are pre-registered in a browser as being HTTPS only sites. You can apply for this registration[*] and in the next browser version your site will be included in a built in list. +The big problem with HSTS is that it only helps after visiting the target website for the first time. If an attacker can MitM the first connection they can prevent the HTTPS from ever being used and the HSTS header from ever being set. To counter this HSTS preloading was invented by Google. This is a mechanism where sites are pre-registered in a browser as being HTTPS only sites. You can apply for this registration[*] and in the next browser version your site will be included in a built in list. + +The downside of this is, of course, that it gives Google more control than it should have. But not excessively so, as the failure mode is back to HSTS TOFU. .footnote[[*] https://hstspreload.org/] ] @@ -426,6 +430,7 @@ There is much much more that we could cover, but won't. Including but not limite - Certificate transparancy logs/monitors/auditors - ACME - CRLs +- HPKP - ... ]