22

As a protection against attacks such as SSLstrip, the HSTS header prevents an attacker from downgrading a connection from HTTPS to HTTP, as long as the attributes of the header are properly configured.

However, HTTP/2, whilst not making encryption mandatory is implemented with mandatory TLS connection in modern browsers, according to wikipedia.

In that case, is there any point in having the HSTS header enabled when using HTTP/2? Can an attacker force the client to use HTTP/1 and in turn SSLstrip the connection? Is HTTP/2 enough, does it make the HSTS header obsolete?

sanmai
  • 414
  • 3
  • 10
user96649
  • 363
  • 2
  • 8
  • 9
    What about the clients who don't support HTTP/2, but support HTTP/1.1 and HSTS? –  Feb 18 '20 at 13:59
  • What about standards-compliant browsers that don't require TLS with HTTP/2? – user253751 Feb 20 '20 at 10:57
  • "Can an attacker force the client to use HTTP/1 " - yes, definitely. All browsers that support HTTP but not HTTP 2.0 without TLS will happily connect over HTTP/1.1. In fact, even browsers that *do* support HTTP 2.0 without TLS will connect over HTTP/1.1. if that's all that seems to be available. – user2428118 Feb 20 '20 at 15:06

2 Answers2

37

Yes, HSTS is still needed, including HSTS preload.

The way a browser connects to HTTP/2 is through a URL that looks exactly the same as the URL for HTTP/1, so it doesn't know that it must be HTTP/2 just from looking at the URL. It will try plain cleartext HTTP if it is given a http:// URL. In order for the browser to not try plain HTTP (and not be subject to attacks from rogue WiFi AP, etc.), the URL must be https:// (and then HTTP/2 upgrade will happen through ALPN), and the way to ensure that regardless of what the user types in the address bar or an external links says, is using HSTS.

Z.T.
  • 7,768
  • 1
  • 20
  • 35
1

You are correct on both your first 2 points.

As a protection against attacks such as SSLstrip, the HSTS header prevents an attacker from downgrading a connection from HTTPS to HTTP, as long as the attributes of the header are properly configured.

Yes, so the HSTS header tells the browser to only access the web server over a secure connection, thereby rejecting connections over HTTP, and redirecting them to HTTPS.

However, HTTP/2, whilst not making encryption mandatory is implemented with mandatory TLS connection in modern browsers, according to wikipedia.

Right, most of the major browsers will only support HTTP/2 over HTTPS.

In that case, is there any point in having the HSTS header enabled when using HTTP/2? Can an attacker force the client to use HTTP/1 and in turn SSLstrip the connection? Is HTTP/2 enough, does it make the HSTS header > obsolete?

The web server implementing HTTP/2 doesn't force a HTTPS connection. It's just a browser requirement that HTTP/2 will only be supported over TLS. HTTP/2 is defined both for HTTP URIs and for HTTPS URIs.

What happens when a user tries to load a website over HTTP? HTTP/1.1 is the fallback protocol if HTTP/2 fails. So, HTTP/2 enabled sites may still very much be vulnerable to a SSL-striping-MitM attacks.

Kyle Fennell
  • 921
  • 4
  • 12