HSTS protections can be circumvented by flooding the victim’s browser with directives, researchers have found

Since being approved by the Internet Engineering Steering Group in late 2012, HTTP Strict Transport Security (HSTS) has become a widely used web security policy mechanism to help protect websites against protocol downgrade attacks, cookie hijacking, and hacking tools such as SSLstrip.

HSTS provides an added level of security by stipulating that web browsers and servers should only interact using secure HTTPS connections, and never via the insecure HTTP protocol.

While the premise is relatively straightforward, researchers from Telefonica’s cybersecurity unit, ElevenPaths, have demonstrated how HSTS protections can be circumvented by flooding the victim’s browser with directives issued by an attacker-controlled domain.

Speaking at Black Hat Europe in London last week, ElevenPaths researchers Sheila Berta and Sergio de los Santos showed how SSL Certificate storage policies in Firefox and Chrome can allow an attacker to override HSTS protection.

“Firefox uses a TXT file with a limit of 1,024 entries to remember HSTS and HPKP domains,” de los Santos told The Daily Swig. “It seems that they thought it was unlikely that a user would need to store more than this, but in the event it was needed, they implemented a ‘score’ concept for each domain.

“The score indicates how often the user visits that domain on different days. A score of ‘0’ means that the header is expired or that is the first day you have visited the site. The score goes to ‘1’ next day if you visit it again, and so on.”

De los Santos explained how, in the event of Firefox needing to remove one of the 1,024 SSL entries to free up space, the one with the lowest score is replaced.

“What we did is implement an attack in two ways: a Bettercap JavaScript to inject and a special website,” he said. “Both send a lot of HSTS headers (what we call ‘junk entries’) with different subdomains.”

The researchers found that by flooding a victim’s Firefox browser with new directives, legitimate domains can be removed. “Evicting a domain from the 1,024 table is equal to disabling HSTS and HPKP, leaving the victim open to a man-in-the-middle attack,” de los Santos said.

The attack is even easier in Chrome, which the researchers said has no concept of score. “It stores HSTS and HPKP in a JSON file,” said de los Santos. “If you send a lot of HSTS and HPKP entries from a server from a man-in-the-middle attack, it will store all of them forever.”

By flooding the browser with thousands of HSTS and HPKP requests, in around 10 minutes the JSON file takes up 500 MB or more on a user’s hard drive, resulting in Chrome freezing.

“The only thing to be done is try to delete all your settings or remove this JSON,” said de los Santos. “This attack may be done from any website where you can insert a JavaScript.

“IE/Edge is more complex,” he added. “HSTS does not seem to work properly in this browser. We found the tables where this information is stored, but it only seems to work with popular domains.”