The typical HTTPS-to-HTTP downgrade attack looks like this:
- victim connects to a compromised wifi access point
- victim connects to bank.com using attacker's DNS resolver
- attacker directs victim to a local server proxying the bank.com homepage
- victim clicks on "online banking" link as usual not noticing that it's an HTTP link instead of the usual HTTPS link
- attacker mounts a man-in-the-middle attack over that HTTP online banking login page
- victim leaks credentials to attacker
What HSTS does
The fix is simple: let the browser know that it should never connect to the online banking site over plain HTTP. It should automatically upgrade to an encrypted HTTPS connection.
How should a site let the browser know? By including an HTTP header in its responses:
It works in Chrome, Firefox and Opera. Other browsers don't benefit from this protection, but it also doesn't interfere with anything on those other browsers. So anybody with an HTTPS-only site should make use of this.
How many banks use it?
Given how easy it is to implement (and the fact that it's been in browsers since Chrome 4 and Firefox 4), how many of the Australasian banks actually make use of it? After all, almost all of the documentation explaining the motivation behind HSTS uses online banking as an example.
Here are all of the New Zealand banks I tested:
|Bank||Online Banking URL||Header?|
and the Australian banks I looked at:
So, well done ASB! Not only do you stand out from your peers, but you also allowed New Zealand to beat Australia in terms of HSTS coverage
Here's the script I used to generate these results: https://github.com/fmarier/hsts-check. Feel free to leave a comment or email me if I missed an Australasia-based banking site.