Web Security

Challenge & Solution 10: Defend Against HTTPS Downgrade

Mike North

Mike North

Stripe
Web Security

Check out a free preview of the full Web Security course

The "Challenge & Solution 10: Defend Against HTTPS Downgrade" Lesson is part of the full, Web Security course featured in this preview video. Here's what you'd learn in this lesson:

After reviewing the challenge of adding HSTS to course demo application, Mike walks through the solution.

Preview
Close

Transcript from the "Challenge & Solution 10: Defend Against HTTPS Downgrade" Lesson

[00:00:00]
>> Mike North: So the last exercise we're gonna do is we're gonna add HSTS headers to this Equihax app. And what we can do is try a couple lvh.me domains and see what happens on the first visit and on subsequent visits. So we're going to solve the problem of going through of adding HSTS headers to our app.

[00:00:24]
And the problem we're solving is what happens if someone tries to downgrade our HTTP connection to plain HTTP. So I'm just gonna steal from my slides this example. Skipping ahead there, my example header here and we're just gonna add it directly to our server index here
>> Mike North: Same way we were adding these other headers.

[00:00:54]
In fact, I'll just do it in the same place. Set header, strict transport security, and the value is this. And I'm not gonna, I'll just make it for a short time, so I don't mess up lvh.me for myself. All right, so also what I wanna do is disable this for the time being.

[00:01:26]
>> Mike North: And what we should see, we're gonna try to start our app on a plain HTTP connection. We gotta change our imports as well. We're gonna try to start our app on a plain HTTP connection, and basically our browser should object and we wanna see what that objection looks like.

[00:01:53]
>> Mike North: Okay, so let's look down here and see what's going on.
>> Mike North: DevTools says Aw, Snap.
>> Mike North: The integrity attribute for that was blocked. I think we might have a caching issue here.
>> Mike North: Let me just substitute this real quick into the SRI header or the attribute.
>> Mike North: For the JavaScript file, which is this third one

[00:02:38]
>> Mike North: Okay.
>> Mike North: So if we look network response here, we should see some headers there. Strict-Transport-Security max-age-6000. So I'm actually gonna move the certificate into place that I already have, and let's see if we can get that to work.
>> Mike North: So if you're watching the video for the course, you don't have to do this.

[00:03:13]
We're just doing it right now to get around something.
>> Mike North: And pro tip, whenever you're working with certificates, at the same time you develop the certificate add them to your getignore. Do not accidentally commit certificate stuff, that's really bad.
>> Mike North: All right, let's fire it up, see what happens.

[00:03:56]
Okay, so we're not on HTTPS yet. Let's see if that switch works now.
>> Speaker 2: So in the chat, there's some guidance. You needed it to read the files from the file system?
>> Mike North: Yeah.
>> Mike North: I see, it need the needs the files itself, not just the name. Thank you.

[00:04:25]
Sorry, it's tough to talk and type at the same time. It's tough to talk and think at the same time.
>> Mike North: Thank you, people in the chat for letting us press on. And let's see if this just works with the certificates that are already in place.
>> Mike North: [SOUND] Much better.

[00:04:55]
Okay, so if we say HTTPS local host, you'll note that I've got a little red thing up here saying not secure. So that's telling us that there are some errors, unfortunately, you used to be able to click right up here and see what are those errors all about?

[00:05:14]
Chrome has since buried them down here. You have to click View Certificate. You can see that we've got equifax.lvh.me, that's the domain self-signed root certificate. And there's our metadata here, it's a little tough to see, but it's there. The certificate error we're running into down here is that the authority is invalid.

[00:05:38]
So if we view the certificate, actually the easy way to do this on a Mac to trust this one is to open it in. And I think if you open it in Safari these days you can do it. Show the certificate. Yes, you can say, always trust this when connecting to local host.

[00:05:56]
And I can actually modify the trust settings here.
>> Mike North: Great, so now I've got a secure connection. For Chrome, I'm actually gonna have to, I believe restart just the browser. I'm still not happy, I think now it's unhappy about the common name. Let me get out of the Netleaf version of Chrome, this is kind of driving us nuts.

[00:06:42]
>> Mike North: So excited about those new debugger tools.
>> Mike North: Just can't use disabled version.
>> Mike North: All right, so the objections that Chrome has now in their security tab, it is, [SOUND] it's still saying the authority is invalid. But it's trusted for local hosts. So let's try using the domain that it's designed for equifax.lvh.me.

[00:07:12]
>> Mike North: Okay, so my connection is not private, that's interesting. Okay, I see the problem. Subject alternative name missing. So Chrome had some additional things that were added in version 58 that need not just the common name, but the subject alternative name as well. We're just gonna switch out to a different browser.

[00:07:33]
We'll switch to Firefox and that will not, no, it's complaining as well. It's complaining about local host as it should.
>> Mike North: Nope.
>> Mike North: All right.
>> Mike North: All right, we're here. Finally, we're in Safari. Let's open up DevTools.
>> Mike North: So this is fine, right? And if I were to try a plain HTTP connection at this point, it should be really disappointed me.

[00:08:22]
It kicked me up to HTTPS.
>> Mike North: So let's try killing the server and not serving over HTTPS anymore. That's the easiest way to test this out.
>> Mike North: Okay, so this is what it's telling us. An SSL error has occurred. It can't create a secure connection to equifax.lvh.me. So let's see if the other browsers, I'm curious now to see if They will spite having those errors, the secure connection failed.

[00:09:16]
So what we're saying here is,
>> Mike North: I guess this one didn't pick it up. So we never successfully loaded it, and so it's not honoring our stuff, honoring the HSTS orders that we gave it. But in this situation you basically got Safari saying, we're disallowed from making a plain issue DP connection because we've informed this particular browser that it is not allowed to do so in the near future, or for that prescribed amount of time.

Learn Straight from the Experts Who Shape the Modern Web

  • In-depth Courses
  • Industry Leading Experts
  • Learning Paths
  • Live Interactive Workshops
Get Unlimited Access Now