You are not logged in.

#1 2018-04-09 19:49:58

diederick76
Member
Registered: 2010-02-14
Posts: 157

HSTS is on but how?

I'm currently running Nextcloud in a directory of my tld. I want to move it to a sub domain, so I've set up a virtual host for it and added the A/AAAA records to my DNS records. certbot needs the site to be available over port 80, but somehow, I can't seem to turn off HSTS. The way I've tried doing that was by commenting out these lines in /etc/httpd/conf/httpd.conf:

#<IfModule mod_headers.c>
#Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
#</IfModule>

But it didn't work.

Let's Encrypt also put a file called le-redirect-diederickdevries.net\:443.conf in my configuration folder. I removed it. Didn't help either.

Not knowing how to proceed, I even stopped Apache and installed Nginx. I configured nginx with a simple unencrypted 80 port and didn't even bother with ssl for now, but whenever I approach the domain, it *still* says HTST is active!

How is this possible? Is HTST somehow implemented on the OS level?

Can someone tell me what I'm missing here? Thanks for any help!

Last edited by diederick76 (2018-04-09 19:55:42)

Offline

#2 2018-04-09 20:07:22

ewaller
Administrator
From: Pasadena, CA
Registered: 2009-07-13
Posts: 19,739

Re: HSTS is on but how?

According to Wikipedia, The HSTS HTTP Header is only recognized when sent over an HTTPS connection

If you are using a browser in these experiments, did you force them to ignore the cache?  (Shift key while when clicking reload generally does the trick)
If you want, please feel free to share the URL with me (by email, if you wish) and I'll try your port 80 and will tell you on this thread what I get (I'll not share details)

Edit: BTW, I had the pleasure of visiting your city in December.  Nice place.

Last edited by ewaller (2018-04-09 20:08:39)


Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way

Offline

#3 2018-04-09 20:11:59

diederick76
Member
Registered: 2010-02-14
Posts: 157

Re: HSTS is on but how?

Hey ewaller, thanks for the reply. I'm indeed trying to force ignoring the cache (yes, shift reload). But I also get these when issuing wget on the command line:

wget wolk.diederickdevries.net
URL transformed to HTTPS due to an HSTS policy
--2018-04-09 21:53:46--  https://wolk.diederickdevries.net/

But when using the --no-hsts flag I get a time-out (probably because I configured the virtual host wrong or something)

Offline

#4 2018-04-09 20:13:56

ewaller
Administrator
From: Pasadena, CA
Registered: 2009-07-13
Posts: 19,739

Re: HSTS is on but how?

Is there still something serving port 443?  If so, try killing it for now.


Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way

Offline

#5 2018-04-09 20:16:35

diederick76
Member
Registered: 2010-02-14
Posts: 157

Re: HSTS is on but how?

No:

$ sudo netstat -tulpen | grep 443

Returns nothing

Last edited by diederick76 (2018-04-09 20:19:48)

Offline

#6 2018-04-09 20:30:43

ewaller
Administrator
From: Pasadena, CA
Registered: 2009-07-13
Posts: 19,739

Re: HSTS is on but how?

Take a look at your server logs.  I was able to see your site on port 80 with no HSTS headers.


Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way

Offline

#7 2018-04-09 20:41:02

diederick76
Member
Registered: 2010-02-14
Posts: 157

Re: HSTS is on but how?

And so am I, it seems, using Konqueror, that certainly had no cache of the site. At least I can now debug my virtual host config without having to deal with ssl at the same time. However, it is getting quite late now here, so I'm calling it a day for now. Thanks for your help!

Offline

#8 2018-04-10 00:39:49

eschwartz
Fellow
Registered: 2014-08-08
Posts: 4,097

Re: HSTS is on but how?

I don't think browsers allow you to reload while ignoring the HSTS cache... this would sort of defeat the purpose. You could delete some secret files in the profile of whichever browser you used, though.

Also see ~/.wget-hsts


Managing AUR repos The Right Way -- aurpublish (now a standalone tool)

Offline

#9 2018-04-10 01:25:29

ewaller
Administrator
From: Pasadena, CA
Registered: 2009-07-13
Posts: 19,739

Re: HSTS is on but how?

Eschwartz wrote:

I don't think browsers allow you to reload while ignoring the HSTS cache... this would sort of defeat the purpose.

Interesting thought.  But, it is my browser, especially on a Linux machine where it does what I want.  Okay, the web site is run by the other guy, and they get to choose their terms too.  Next time I connect, they can force me back to HTTPS again.

Or, is the initial HSTS connection a promise you will never go back; thus protecting against future MITM attacks that are down-graded to HTTP, obfuscating the fact that the attacker does not have the certificate to support SSL?


Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way

Offline

#10 2018-04-10 01:46:57

eschwartz
Fellow
Registered: 2014-08-08
Posts: 4,097

Re: HSTS is on but how?

ewaller wrote:
Eschwartz wrote:

I don't think browsers allow you to reload while ignoring the HSTS cache... this would sort of defeat the purpose.

Interesting thought.  But, it is my browser, especially on a Linux machine where it does what I want.  Okay, the web site is run by the other guy, and they get to choose their terms too.  Next time I connect, they can force me back to HTTPS again.

Or, is the initial HSTS connection a promise you will never go back; thus protecting against future MITM attacks that are down-graded to HTTP, obfuscating the fact that the attacker does not have the certificate to support SSL?

Yes, this is indeed the purpose of HSTS. And it is way too easy IMHO to reload the cache for unrelated reasons, an action which we've been trained to associate with something else entirely, thereby accidentally dropping out of HSTS which was enabled to prevent attacks which are impossible to distinguish from the owner doing the same thing. I'm not saying it should refuse to do what you want, I'm saying SHIFT+reload is definitely the wrong way to implement that UI.

It seems kind of reasonable to me that to ignore a highly technical protocol-level security verification feature you would have to dig into the technical details of things. Clearing the cache by direct file access for example.

The worst-case scenario for HSTS being attacked is, well, exactly the case of people being tricked into downgrading from HTTPS when they should not be.

Well-behaved services will *never* go back on HSTS, at least without changing their TTL to some much shorter period of time as a deprecation policy -- so HSTS is still being used, but future connections recognize the valid policy holder is indicating that that may change at any moment.
Once the policy holder is confident all users have connected recently enough to find the new policy, then HSTS can be turned off entirely, and there will only be e.g. a few minutes during which it is still cached and fails, minimizing the downtime.

Of course, all this assumes you're not on the HSTS preload list which makes things much more complicated...

Last edited by eschwartz (2018-04-10 01:54:24)


Managing AUR repos The Right Way -- aurpublish (now a standalone tool)

Offline

#11 2018-04-10 01:50:21

ewaller
Administrator
From: Pasadena, CA
Registered: 2009-07-13
Posts: 19,739

Re: HSTS is on but how?

Makes sense.  Thanks.

EDIT:  OTOH, it does seem a little like security through obscurity.   At the least, it is an non-obvious solution.

Edit: Just saw your edit -- That makes a lot of sense

Last edited by ewaller (2018-04-10 01:54:21)


Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way

Offline

#12 2018-04-10 01:58:43

eschwartz
Fellow
Registered: 2014-08-08
Posts: 4,097

Re: HSTS is on but how?

big_smile You read my post too soon.

https://hstspreload.org/ is even more interesting though.

...

Yep, this stuff is not really different from trying to e.g. publish an Arch Linux package using a GPG key that's been revoked and banned in the latest archlinux-keyring. I cannot really blame the browser developers for not offering an easy way to ignore such errors.


Managing AUR repos The Right Way -- aurpublish (now a standalone tool)

Offline

Board footer

Powered by FluxBB