5

There seems to be widespread support for the idea that election-related websites, of all things, should be resistant to man-in-the-middle attacks. The secret ballot makes detecting and recovering from SSL-stripping more difficult than the average web use case.

Yet analysis of the Chrome preload list reveals that almost no election related websites present, with the exception of Swiss Post's online voting system. So I've been trying to encourage and promote HSTS preload adoption among election agencies and online voting vendors.

As people encounter HSTS preloading for the first time, one of the first questions seems to be: if it's so great, why isn't everyone using it? For better or worse, banks are regarded as a benchmark for web security and in particular I've been getting this question:

If HSTS preloading is so great, why aren't the banks using it?

Indeed if you check your own financial institution against the preload list you will likely find it absent:

https://hstspreload.com/api/v1/status/<your bank>

There are several possibilities, though in my observation if a site is not on the preload list, the site owner typically either:

  • Doesn't know about the preload list, or
  • Adding their site might break something in their web infrastructure.

With the banks, the best I can think of is that they rely heavily on an internal, unencrypted intranet that would be denial-of-serviced if they added themselves to the list. But that's just speculation, and I would be grateful to anyone with knowledge of their rationale.

Luc
  • 31,973
  • 8
  • 71
  • 135
prhymethyme
  • 51
  • 1
  • 1
    HTST can break older browsers – schroeder Oct 09 '18 at 13:27
  • 2
    But is that really true? See e.g., https://security.stackexchange.com/questions/137208/accessing-hsts-server-with-an-unsupported-browser – prhymethyme Oct 09 '18 at 13:31
  • 1
    I happened to see this from Facebook the other day: https://www.facebook.com/notes/facebook-engineering/secure-browsing-by-default/10151590414803920/ Skip down to the HSTS section. – schroeder Oct 09 '18 at 13:41
  • You can easily extend your question for many other kind of websites: governments, credit card handling companies, health related organizations, etc. – Patrick Mevzek Oct 09 '18 at 15:20
  • 1
    Well there are hundreds of .gov sites on the preload list already, and some payment systems (PayPal, Striple, etc.). There's no question there are still conspicuous absences. Banks just seem to be the most natural choice for preloading, while simultaneously most absent from the list. – prhymethyme Oct 09 '18 at 16:20
  • facebook can't invade your privacy as well if they use HTST, at least until 1st party cookies get rolling... – dandavis Oct 09 '18 at 16:45
  • 1
    @schroeder That article is from 2013, and it appears that since then, Facebook has rolled out HSTS. – Joseph Sible-Reinstate Monica Oct 10 '18 at 12:20
  • @JosephSible yes, that's right, but it indicates the wider problem – schroeder Oct 10 '18 at 12:56
  • My personal experience: when bank employees speak of "security" of paiements, they mean that the bank (or paiement processor) can make the cost of fraud fall on someone else (someone that has done nothing wrong). They have a twisted use of words. Treat them like politicians. – curiousguy Dec 24 '18 at 03:09

0 Answers0