Re: [websec] #34: HSTS cache manipulation and misuse by server enabled by wildcard cert

Sat, 14 Jan 2012 23:13:49 -0800 

Interesting. 

But I don't see how subdomains help. If I have a website called 
charcount-5.example.com, and I use a wildcard *.example.com certificate, the 
HSTS entry is still written for charcount-5.example.com. Adding subdomains 
would affect *.charcount-5.example.com, not 0-H.example.com.

I wouldn't want to force the includeSubdomains, as there may be valid reasons 
to have a subdomain of example.com that is HTTP, whereas the decision on buying 
a wildcard certificate is a matter of cost and convenience.

Yoav

On Jan 15, 2012, at 4:52 AM, websec issue tracker wrote:

> #34: HSTS cache manipulation and misuse by server enabled by wildcard cert
> 
> See..
> 
> The Double-Edged Sword of HSTS Persistence and Privacy --  by Mikhail
> Davidov
> http://haxsys.net/2011/04/the-double-edged-sword-of-hsts-persistence-and-
> privacy/
> 
> summary:
> 
> This technique allows a web app on one domain to surreptitiously send a
> message to another web app on another domain via manipulation of the HSTS
> cache...
> 
> If server wields a wildcard cert, eg for "*.example.com", then example.com
> can create any number of subdomains of example.com, with any subdomain
> name, and then direct user agents to fetch resources from these
> subdomains. If HSTS Policy is returned for each of these subdomains, and
> includeSubDomains is not used, then any number of entries will be created
> in in the user agent's HSTS store. E.g., an web page like the below would
> accomplish this..
> 
>   [img]https://charcount-5.example.com/setbit.png[/img]      -- this
> stores the char count of the msg
> 
>   [img]https://0-H.example.com/setbit.png[/img]
>   [img]https://1-E.example.com/setbit.png[/img]
>   [img]https://2-L.example.com/setbit.png[/img]
>   [img]https://3-L.example.com/setbit.png[/img]
>   [img]https://4-O.example.com/setbit.png[/img]
> 
> 
> These entries can be read back by some other web application under some
> other domain name by causing the user agent to send HTTP requests to
> example.com in order to brute-force the character count subdomain name --
> the server responds whether the name is available over just http -- which
> means it is a miss, or over HTTPS, which is a hit..
> 
>   http://charcount-1.trackingexampledomain.com/getbit.png [ Server: HTTP ]
>   http://charcount-2.trackingexampledomain.com/getbit.png [ Server: HTTP ]
>   http://charcount-3.trackingexampledomain.com/getbit.png [ Server: HTTP ]
>   http://charcount-4.trackingexampledomain.com/getbit.png [ Server: HTTP ]
>   http://charcount-5.trackingexampledomain.com/getbit.png [ Server: HTTPS!
> ]   -- msg char count is 5
> 
> Then the web app can brute force each character of the message in a
> similar fashion.
> 
> the original message-sending domain web app can clear the cached message
> by causing the user agent to re-request resources from the same dubdomains
> and returning a HSTS header for each with max-age=0.
> 
> For a resolution, Mikhail suggests..
> 
> "My proposal is to amend the draft to force the includeSubDomains flag on
> wildcard certificates. This would limit them to only one entry in the
> browsers HSTS database and make the technique above prohibitively
> expensive to non-CA owners as a separate signed SSL certificate would be
> needed for every bit of information stored and limit encoding options."
> 
> -- 
> -------------------------+-------------------------------------------------
> Reporter:               |      Owner:  draft-ietf-websec-strict-transport-
>  jeff.hodges@…          |  sec@…
>     Type:  defect       |     Status:  new
> Priority:  major        |  Milestone:
> Component:  strict-      |    Version:
>  transport-sec          |   Keywords:
> Severity:  Active WG    |
>  Document               |
> -------------------------+-------------------------------------------------
> 
> Ticket URL: <http://trac.tools.ietf.org/wg/websec/trac/ticket/34>
> websec <http://tools.ietf.org/websec/>
> 
> _______________________________________________
> websec mailing list
> websec@ietf.org
> https://www.ietf.org/mailman/listinfo/websec
> IƧ��[�(^rC�{S�֥I�.�+r�^��

_______________________________________________
websec mailing list
websec@ietf.org
https://www.ietf.org/mailman/listinfo/websec

Reply via email to