HTTP Strict Transport Security is a simple mechanism that secure sites can use to protect their users against an sslstrip-style HTTPS-to-HTTP downgrade attack.
Typical attack
The typical HTTPS-to-HTTP downgrade attack looks like this:
- victim connects to a compromised wifi access point
- victim connects to bank.com using attacker's DNS resolver
- attacker directs victim to a local server proxying the bank.com homepage
- victim clicks on "online banking" link as usual not noticing that it's an HTTP link instead of the usual HTTPS link
- attacker mounts a man-in-the-middle attack over that HTTP online banking login page
- victim leaks credentials to attacker
You can watch a short video demo of this attack, but if you don't want to set any of this up on your server, it turns out you can buy a little USB device that does it all for you.
What HSTS does
The fix is simple: let the browser know that it should never connect to the online banking site over plain HTTP. It should automatically upgrade to an encrypted HTTPS connection.
How should a site let the browser know? By including an HTTP header in its responses:
Strict-Transport-Security: max-age=10886400
It works in Chrome, Firefox and Opera. Other browsers don't benefit from this protection, but it also doesn't interfere with anything on those other browsers. So anybody with an HTTPS-only site should make use of this.
How many banks use it?
Given how easy it is to implement (and the fact that it's been in browsers since Chrome 4 and Firefox 4), how many of the Australasian banks actually make use of it? After all, almost all of the documentation explaining the motivation behind HSTS uses online banking as an example.
Here are all of the New Zealand banks I tested:
Bank | Online Banking URL | Header? |
---|---|---|
ASB | https://fnc.asbbank.co.nz/1/User/LogOn | YES! |
ANZ | https://secure.anz.co.nz/IBCS/pgLogin | no |
BankDirect | https://vault.bankdirect.co.nz/default.asp | no |
BNZ | https://www.bnz.co.nz/ib/app/login | no |
HSBC | https://www.hsbc.co.nz/1/2/HUB_IDV2/IDV_EPP... | no |
Kiwibank | https://www.ib.kiwibank.co.nz/ | no |
Rabobank | https://secure1.rabodirect.co.nz/exp/authenticationDGPEN.jsp | no |
SBS | https://sbsbanking.sbs.net.nz/secure/ | no |
TSB | https://homebank.tsbbank.co.nz/online/ | no |
Westpac | https://sec.westpac.co.nz/IOLB/Login.jsp | no |
and the Australian banks I looked at:
Conclusion
So, well done ASB! Not only do you stand out from your peers, but you also allowed New Zealand to beat Australia in terms of HSTS coverage
Here's the script I used to generate these results: https://github.com/fmarier/hsts-check. Feel free to leave a comment or email me if I missed an Australasia-based banking site.
Why don't they just strip-out the Strict-Transport-Security header?
Ah! I see. That is why the form of the header is Strict-Transport-Security: max-age=10886400. So that if you once log in to your bank on one trusted network, you are then protected everywhere else in future.