HTTP Strict Transport Security is a simple mechanism that secure sites can use to protect their users against an sslstrip-style HTTPS-to-HTTP downgrade attack.

Typical attack

The typical HTTPS-to-HTTP downgrade attack looks like this:

  1. victim connects to a compromised wifi access point
  2. victim connects to using attacker's DNS resolver
  3. attacker directs victim to a local server proxying the homepage
  4. victim clicks on "online banking" link as usual not noticing that it's an HTTP link instead of the usual HTTPS link
  5. attacker mounts a man-in-the-middle attack over that HTTP online banking login page
  6. victim leaks credentials to attacker

You can watch a short video demo of this attack, but if you don't want to set any of this up on your server, it turns out you can buy a little USB device that does it all for you.

What HSTS does

The fix is simple: let the browser know that it should never connect to the online banking site over plain HTTP. It should automatically upgrade to an encrypted HTTPS connection.

How should a site let the browser know? By including an HTTP header in its responses:

Strict-Transport-Security: max-age=10886400

It works in Chrome, Firefox and Opera. Other browsers don't benefit from this protection, but it also doesn't interfere with anything on those other browsers. So anybody with an HTTPS-only site should make use of this.

How many banks use it?

Given how easy it is to implement (and the fact that it's been in browsers since Chrome 4 and Firefox 4), how many of the Australasian banks actually make use of it? After all, almost all of the documentation explaining the motivation behind HSTS uses online banking as an example.

Here are all of the New Zealand banks I tested:

Bank Online Banking URL Header?
ANZ no
BankDirect no
BNZ no
Kiwibank no
Rabobank no
SBS no
TSB no
Westpac no

and the Australian banks I looked at:

Bank Online Banking URL Header?
ANZ no
Bank of China no
Bank of Melbourne no
Bankwest no
Bendigobank no
Bank of Queensland no
Citibank no
Commonwealth Bank no
Heritage Bank no
Mebank no
NAB no
Rabobank no
St. George no
Suncorp Bank no
Westpac no


So, well done ASB! Not only do you stand out from your peers, but you also allowed New Zealand to beat Australia in terms of HSTS coverage :)

Here's the script I used to generate these results: Feel free to leave a comment or email me if I missed an Australasia-based banking site.