What is the best way to accomplish this and prevent attacks like SSL Strip?
-
Accomplish what? If you're not forcing users to use SSL you are vulnerable to SSLStrip. What's the question? – KnightOfNi Apr 17 '14 at 03:25
-
possible duplicate of [Security of an initial redirection from http://example.com to https://example.com](http://security.stackexchange.com/questions/44849/security-of-an-initial-redirection-from-http-example-com-to-https-example-co) – Gilles 'SO- stop being evil' Apr 17 '14 at 11:18
2 Answers
Train users to either always type https://
for your site, follow links from a site like google (that has hard-coded HSTS
), or use a bookmark. (Do this training in addition to other sensible training policies: do not do security sensitive things on unsecured/public wifi or public computers, use strong passwords that aren't reused, etc.. Then try getting browser makers to hardcode your site into their preloaded HSTS only lists.
Really not much else you can do.
EDIT: I'm not 100% sure about the specifics of SSL-Strip, but according to some turning off port 80 (besides simply redirecting to https) will work to stop SSL Strip attacks. So it may be sensible, though you should acknowledge it is possible to go beyond SSLStrip to do a MitM attack against a site that serves HTTPS only, if you can trick the user into going to an HTTP site that points to a computer you control (e.g., after ARP spoofing) before they first connect. So turning off HTTP (port 80) or having only port 80 only send redirects to HTTPS (port 443) seems to be a sensible defensive move, you should be aware it does not prevent SSL striping attacks in general.
- 38,936
- 8
- 92
- 162
-
See http://security.stackexchange.com/questions/44849/security-of-an-initial-redirection-from-http-example-com-to-https-example-co/44976#44976 for more details. – Gilles 'SO- stop being evil' Apr 17 '14 at 11:20
-
1Downvoted for the "train users" part. In my opinion, training users is never a reliable option. – KnightOfNi Apr 17 '14 at 13:26
-
I'm not saying that training users will be reliable -- some users will find ways to ignore any sensible advice. But I am saying it is a sensible step in addition to others (like HSTS). At the very least it is a [CYA](http://en.wikipedia.org/wiki/Cover_your_ass) practice and at best some rare user actually follows your advice and notices the URL is not colored with `https` and stops an attack. – dr jimbob Apr 17 '14 at 17:17
-
@KnightOfNi - And training users may not involve simply "sending an email" or making them take an online quiz. Training entails anything that can change the user's behavior. It could involve say serving `http` versions of pages that as soon as they select the `password` field to start typing a big warning pops up saying "THIS IS NOT AN HTTPS PAGE. NEVER TYPE A PASSWORD INTO AN HTTP PAGE. This was not a real attack, but attacks like this exist in the wild. (And then logs whatever username/IP address was used there)." Sort of similar to http://ismycreditcardstolen.com/ – dr jimbob Apr 17 '14 at 17:33
-
@drjimbob I agree that trying to train users is a good idea, but I don't think that it should ever be relied upon to any extent. Since it seems like that's what you meant I'll nix the downvote. – KnightOfNi Apr 17 '14 at 19:05
The only way is to not offer any sensible data (this includes login forms already) on port 80. This way the client must switch to https, either by hand or automatically through redirection etc.
- 190,458
- 29
- 381
- 434
-
1I don't believe this is correct. It will stop SSL Strip, but it won't stop attacks *like* SSL Strip. The attacker can create a perfect copy of the targeted website, and serve that on his own serverport 80. To create the perfect copy, he could just connect to the targeted server via HTTPS, and forward all traffic (with stripped SSL) to the victim. I believe the only correct answer is the one given by dr jimbob: train users to use HTTPS. – Michael Apr 17 '14 at 06:22
-
HSTS does not prevent pishing, e.g. somebody mimicking your website somewhere else. And not offering sensible data with http is training users to use https, or not? And pishing by mimicking a website can also be done with https, so training users just to use https is not enough. – Steffen Ullrich Apr 17 '14 at 11:16
-
I think Michael was talking about MitM attacks, not phishing attakcs. – Red Alert Apr 17 '14 at 18:17
-
Now I see what he meant, thanks for clarifying. And yes, the only way would be to teach users to only use https. But this is not enough, one only has to teach users to make https only with trusted sites - and the trust can be really hard to be determined, e.g URL spoofing, trusted sounding names like ebay.secure-shopping.com or similar. – Steffen Ullrich Apr 17 '14 at 18:32