Page 1 of 2
"Enforce HTTPS" Field for Domains to Prevent SSL Stripping?
Posted: Sat Mar 23, 2013 3:52 am
by biolizard89
Right now, the 2.0 .bit spec allows fingerprints to be specified for SSL/TLS connections, but offers no way to specify that HTTP clients should enforce HTTPS-only connections. As a result, tools like sslstrip can still MITM the websites if the user neglects to type the "https" in the URL bar. The HTTP Strict Transport Security (HSTS) specification attempts to allow servers to specify this, but doesn't protect the initial connection where the HSTS header is sent.
Info on HSTS:
https://en.wikipedia.org/wiki/HTTP_Stri ... t_Security
I propose adding a field to the .bit spec which requires conforming HTTP clients to only make HTTPS connections to the .bit domain. I don't think the exact HSTS syntax (where it specifies a period in seconds for which the header is valid) is necessary in .bit, since the HSTS syntax is assuming that the header can't be checked each time a connection is made. (Namecoin cannot be easily MITMed, while HTTP easily can be.) So how about this syntax:
To enforce HTTPS on a domain:
To not enforce HTTPS (this would be the default):
To enforce HTTPS on a domain and all subdomains:
Code: Select all
"enforce-https": "includeSubDomains"
Other suggestions for alternative syntax would be great to hear too.
What do people think of this proposal?
Re: "Enforce HTTPS" Field for Domains to Prevent SSL Strippi
Posted: Fri Jun 28, 2013 10:15 pm
by phelix
Is this obsolete now with the new TLS implementation or not?
Re: "Enforce HTTPS" Field for Domains to Prevent SSL Strippi
Posted: Sat Jun 29, 2013 12:23 am
by biolizard89
phelix wrote:Is this obsolete now with the new TLS implementation or not?
It is not obsolete; even with the TLS implementation a user could forget to type "https" and be subject to an sslstrip attack. I think the proposal outlined in the original post should still be adopted.
Re: "Enforce HTTPS" Field for Domains to Prevent SSL Strippi
Posted: Sat Jun 29, 2013 10:12 am
by phelix
biolizard89 wrote:phelix wrote:Is this obsolete now with the new TLS implementation or not?
It is not obsolete; even with the TLS implementation a user could forget to type "https" and be subject to an sslstrip attack. I think the proposal outlined in the original post should still be adopted.
ok and +1 (maybe a little shorter)
Re: "Enforce HTTPS" Field for Domains to Prevent SSL Strippi
Posted: Thu Jul 04, 2013 8:32 pm
by khal
It is an interesting feature that will have even more value in namecoin (if you use a proxy like Convergence for example), because the proxy can block the http request (locally) or redirect to https and no clear request has gone through internet at all.
I would like to rename "fingerprint" to "sha1" too (because other checksums can be used for more reliability [firefox displays also the md5, huhu]), and put this in a "https" record.
Something like this :
Code: Select all
{
"ip": "xx.xx.xx.xx",
"https":
{
"sha1": "xx:xx:xx:xx:xx:xx.../xxxxxxxxxxxx...",
"enforce": "self/*",
}
}
Re: "Enforce HTTPS" Field for Domains to Prevent SSL Strippi
Posted: Fri Jul 12, 2013 7:50 pm
by biolizard89
khal wrote:It is an interesting feature that will have even more value in namecoin (if you use a proxy like Convergence for example), because the proxy can block the http request (locally) or redirect to https and no clear request has gone through internet at all.
I would like to rename "fingerprint" to "sha1" too (because other checksums can be used for more reliability [firefox displays also the md5, huhu]), and put this in a "https" record.
Something like this :
Code: Select all
{
"ip": "xx.xx.xx.xx",
"https":
{
"sha1": "xx:xx:xx:xx:xx:xx.../xxxxxxxxxxxx...",
"enforce": "self/*",
}
}
I think "tls" would be a better name for the record than "https" because the fingerprint could be for a TLS-secured protocol other than HTTPS. For example, I could imagine using this for SSH connections. Other than that, I think your modifications would be an improvement.
Re: "Enforce HTTPS" Field for Domains to Prevent SSL Strippi
Posted: Mon Jul 15, 2013 11:48 am
by khal
I've added the "tls" record in the spec (last one) and marked "fingerprint" as deprecated :
https://dot-bit.org/Namespace:Domain_na ... alue_field
It seems ok for you ?
Re: "Enforce HTTPS" Field for Domains to Prevent SSL Strippi
Posted: Mon Jul 15, 2013 12:18 pm
by moa
"tls" is good.
It is interesting to read this in wiki for HSTS and realise how NMCSEC (is what I call TLS for namecoin) as opposed to DNSSEC is the superior solution ...
Applicability
The most important security vulnerability that HSTS can fix is SSL-stripping man-in-the-middle attacks, first introduced by Moxie Marlinspike in his 2009 BlackHat Federal talk "New Tricks For Defeating SSL In Practice."[16] The SSL stripping attack works (on both SSL and TLS) by transparently converting a secure HTTPS connection into a plain HTTP connection. The user can see that the connection is insecure, but crucially there is no way of knowing whether the connection should be secure. Many websites do not use TLS/SSL, therefore there is no way of knowing (without prior knowledge) whether the use of plain HTTP is due to an attack, or simply because the website hasn't implemented TLS/SSL. Additionally, no warnings are presented to the user during the downgrade process, making the attack fairly subtle to all but the most vigilant. Marlinspike's sslstrip tool fully automates the attack.
HSTS addresses this problem[15] by informing the browser that connections to the site should always use TLS/SSL. The HSTS header can be stripped by the attacker if this is the user's first visit. The Chrome browser attempts to limit this problem by including a "pre-loaded" list of HSTS sites.[17] Unfortunately this solution cannot scale to include all websites on the internet; a potential solution might be achieved by using DNS records to declare HSTS Policy, and accessing them securely via DNSSEC, optionally with certificate fingerprints to ensure validity (although DNSSEC will have secure last mile issues for the foreseeable future[18]).[19] HSTS can also help to prevent having one's cookie-based website login credentials stolen by widely available tools such as Firesheep.[20]
https://en.wikipedia.org/wiki/HTTP_Stri ... t_Security
Re: "Enforce HTTPS" Field for Domains to Prevent SSL Strippi
Posted: Mon Jul 15, 2013 6:31 pm
by biolizard89
@khal: yep, looks good to me.
@moa: yeah, DNSSEC is a joke in my opinion (and in the opinion of a lot of security experts who know far more than I do). It's great to be able to participate in Namecoin and know that we're on the frontier of making the Internet a better, more secure place.
Re: "Enforce HTTPS" Field for Domains to Prevent SSL Strippi
Posted: Mon Jul 15, 2013 8:39 pm
by Luke-Jr
I dislike the idea of assuming domains are only for webserving.
Can this be made generic?