1 of 9

HSTS Priming

Implementation Report for WebAppSec

November 2017

2 of 9

Observation:

  • Web is migrating to rely on HTTPS instead of HTTP
  • More and more sites use HTTP Strict Transport Security (HSTS)

Problem:

  • HSTS is detected opportunistically by browsers
  • Subresources (HSTS available) will be blocked by Mixed Content Blocker

Idea:

  • Pre-Fetch HSTS information to avoid blocking in Mixed Content Blocker

Why HSTS Priming?

3 of 9

In a Nutshell:

  • siteA embeds script from siteB
  • Mixed Content Blocker would block
  • Perform HSTS Priming (HEAD Request)
  • Observe HSTS header
  • Potentially upgrade

Principle Approach

4 of 9

Fundamental Algorithm (Phase 1)

5 of 9

Fundamental Algorithm (Phase 2)

6 of 9

Priming is capable of upgrading 0,6% of mixed content loads

HSTS Priming Requests (Firefox Beta, Sept. 20th - October 3rd, 2017

Evaluation - Effectiveness

7 of 9

Success: Median 683ms

Failure: Median: 1,223ms

Evaluation - Performance

8 of 9

  • 10 months
  • 1 Engineer (full time)
  • 4,367 lines of code
  • 1,300 man hours

Evaluation - Engineering Effort

9 of 9

  • Is it worth the effort?

Take Away