0

So back in 2015 there was a lot of talk about a method in which HSTS could be bypassed. Basically here is the method:

  1. Most people type a url without adding http:// or https:// or simply click a link which directs them to the site they want.
  2. SSLStrip2 intercepts the request and changes all https to http while also the dns adds an extra letter in the domain(e.g. www.gooogle.com, not the subdomain which is covered by HSTS)

An older method would change the url from www.example.com to wwww.example.com but HSTS is required to force all subdomains of example.com to require https if it is in its list of HTTPS sites. However changing the actual domain name thwarts this prevention because www.examples.com is not in the HSTS list of sites.

A full explanation is here and here. SSLStrip2 and the dns proxy were conveniently packaged in a tool called mitf.

My question is, does this method of bypassing HSTS still work in 2017? If not what methods have been used to prevent it?

NULL
  • 503
  • 1
  • 5
  • 13
  • On first visit, HSTS can always be bypassed (if preload is not used), and HSTS only forces subdomains if explicitly told to do so (which it should be with preload). That was true in 2015, and it is true now. Note that the second question you link contains an answer that states that the described attack was not feasible even in 2015; can you edit your answer so that it explicitly includes a description of the bypass you are talking about? And if possible also what changes in HSTS or its implementation leads you to believe that it may not be possible anymore (if it ever was)? – tim Aug 12 '17 at 22:20
  • To me, it sounds like the attack is a bypass in case preload is used, but no subdomain directive is set (which may be the case, even though it shouldn't be; the attack then uses a custom dns resolver and a custom subdomain without HSTS preloaded to bypass HSTS). I see no reason why there should be a change since 2015. I'm voting to close for now, but will reopen if you edit in more details. – tim Aug 12 '17 at 22:30

0 Answers0