HTTP Strict Transport Security is a simple mechanism that secure sites can use to protect their users against an sslstrip-style HTTPS-to-HTTP downgrade attack.

Typical attack

The typical HTTPS-to-HTTP downgrade attack looks like this:

  1. victim connects to a compromised wifi access point
  2. victim connects to bank.com using attacker's DNS resolver
  3. attacker directs victim to a local server proxying the bank.com homepage
  4. victim clicks on "online banking" link as usual not noticing that it's an HTTP link instead of the usual HTTPS link
  5. attacker mounts a man-in-the-middle attack over that HTTP online banking login page
  6. victim leaks credentials to attacker

You can watch a short video demo of this attack, but if you don't want to set any of this up on your server, it turns out you can buy a little USB device that does it all for you.

What HSTS does

The fix is simple: let the browser know that it should never connect to the online banking site over plain HTTP. It should automatically upgrade to an encrypted HTTPS connection.

How should a site let the browser know? By including an HTTP header in its responses:

Strict-Transport-Security: max-age=10886400

It works in Chrome, Firefox and Opera. Other browsers don't benefit from this protection, but it also doesn't interfere with anything on those other browsers. So anybody with an HTTPS-only site should make use of this.

How many banks use it?

Given how easy it is to implement (and the fact that it's been in browsers since Chrome 4 and Firefox 4), how many of the Australasian banks actually make use of it? After all, almost all of the documentation explaining the motivation behind HSTS uses online banking as an example.

Here are all of the New Zealand banks I tested:

Bank Online Banking URL Header?
ASB https://fnc.asbbank.co.nz/1/User/LogOn YES!
ANZ https://secure.anz.co.nz/IBCS/pgLogin no
BankDirect https://vault.bankdirect.co.nz/default.asp no
BNZ https://www.bnz.co.nz/ib/app/login no
HSBC https://www.hsbc.co.nz/1/2/HUB_IDV2/IDV_EPP... no
Kiwibank https://www.ib.kiwibank.co.nz/ no
Rabobank https://secure1.rabodirect.co.nz/exp/authenticationDGPEN.jsp no
SBS https://sbsbanking.sbs.net.nz/secure/ no
TSB https://homebank.tsbbank.co.nz/online/ no
Westpac https://sec.westpac.co.nz/IOLB/Login.jsp no

and the Australian banks I looked at:

Bank Online Banking URL Header?
ANZ https://www.anz.com/INETBANK/bankmain.asp no
Bank of China https://ebs.boc.cn/BocnetClient/LoginFrameAbroad.do?_locale=en_US no
Bank of Melbourne https://ibanking.bankofmelbourne.com.au/ibank/loginPage.action no
Bankwest https://ibs.bankwest.com.au/BWLogin/rib.aspx no
Bendigobank https://www.bendigobank.com.au/banking/BBLIBanking/ no
Bank of Queensland https://www.ib.boq.com.au/boqbl no
Citibank https://www.citibank.com.au/AUGCB/JSO/signon/DisplayUsernameSignon.do no
Commonwealth Bank https://www.my.commbank.com.au/netbank/Logon/Logon.aspx no
Heritage Bank https://online.hbs.net.au/hbsv47/ntv471.asp?wci=entry no
HSBC https://www.hsbc.com.au/1/2/HUB_IDV2/IDV_EPP... no
Mebank https://ib.mebank.com.au/ME no
NAB https://ib.nab.com.au/nabib/index.jsp no
Rabobank https://secure.rabodirect.com.au/exp/policyenforcer/pages/loginB2CDGPEN.jsf?login no
St. George https://ibanking.stgeorge.com.au/ibank/loginPage.action no
Suncorp Bank https://internetbanking.suncorpbank.com.au/ no
Westpac https://online.westpac.com.au/esis/Login/SrvPage no

Conclusion

So, well done ASB! Not only do you stand out from your peers, but you also allowed New Zealand to beat Australia in terms of HSTS coverage :)

Here's the script I used to generate these results: https://github.com/fmarier/hsts-check. Feel free to leave a comment or email me if I missed an Australasia-based banking site.

Another idea?
Another idea might be a browser plugin that caches IP addresses for visited sites - separate from the DNS cache on the computer - and warns the user if a site suddenly resolves to a different IP address than it usually does. Likewise if a site is usually accessed by HTTPS and one time it redirects to an HTTP version of itself, WARN THE USER! "This site has always in the past been secure. Now it's not. Something is wrong here. Go no further!!!" (Or else build this functionality straight into the browser?)
Comment by Adam
...but if the attacker is doing a man-in-the-middle ...

Why don't they just strip-out the Strict-Transport-Security header?

Ah! I see. That is why the form of the header is Strict-Transport-Security: max-age=10886400. So that if you once log in to your bank on one trusted network, you are then protected everywhere else in future.

Comment by Tim Hunt
Ssl issues
Given that some Australian banks are still supporting ssl 2.0 I'm not overly surprised they're a bit far behind. See ssllabs where at least westpac get rated an F in their analysis.
Comment by Aj