This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
ToddBrown
Beginner
Beginner
‎2016-11-28 01:29 PM

Add Strict-Transport-Security Header to Web Tier

Jump to solution

We just had a pen test performed which identified the missing header Strict-Transport-Security as an issue.  How do we add this to our web-tier presence?

 

The application did not make use of the Strict-Transport-Security header to prevent SSL-stripping attacks.

 

Users may be victim to SSL-stripping man-in-the-middle attacks, causing session details and potentially sensitive
information to be sent over the network in cleartext. Client network traffic may also be potentially manipulated. In
order to exploit this flaw, an attacker would likely need to be able to intercept network traffic between a client and
server.

 

Since the world wide web consists of a mix of HTTP and HTTPS sites, it is often easy for attackers to conduct man-inthe-
middle downgrade attacks whenever users transition from an unencrypted (HTTP) site to an encrypted (HTTPS)
site. In these attacks, references from an HTTP site to an HTTPS are replaced with HTTP links. From there, an
attacker can intercept and translate requests to and from HTTP and HTTPS and provide users with little indication
that their traffic is being intercepted. A tool which implements many forms of this attack is sslstrip SSLStrip
[SSLSb].

 

In order to mitigate these attacks, the IETF the Strict-Transport-Security header HTTP Strict Transport
Security [HSTS], which instructs browsers to cache information about a site's SSL/TLS support. Once cached,
browsers which implement support for this header will refuse to access the site over unencrypted links in the future
(until a predefined time-out).

 

Reproduction:
The following response headers demonstrate the lack of the Strict-Transport-Security header:

 

curl -ki https://xxx.xxx.xxx.xxx/console-selfservice/


HTTP/1.1 200 OK
Cache-Control: no-cache
Date: Tue, 01 Nov 2016 15:54:36 GMT
Pragma: No-cache
Transfer-Encoding: chunked
Content-Type: text/html;charset=UTF-8
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: console-selfservicejsessionid=
K2yWYY6cZZQlnvn5hHjVTq1NvSnf6Sy1hTh32T2LnYGR2n73Vj3t!-1655169621;
path=/console-selfservice; secure; HttpOnly
X-Powered-By: Servlet/3.0 JSP/2.2
X-Frame-Options: SAMEORIGIN

Reply
1 Solution

Accepted Solutions
EdwardDavis
Employee
Employee
‎2016-11-28 04:08 PM

Jump to solution

We do not have a way to implement this at this time.

This is not an actual exploitable vulnerability with HSTS and RSA Authentication Manager web services.

In case of Authentication Manager we do not use HTTP anywhere in the system, so even enabling HSTS should not make any difference.

 

HSTS is about ensuring HTTPS is used for web browser connections, and RSA Authentication Manager forces this to be true by default.

Adding HSTS response headers will not change much in this regard.

 

The RSA Authentication Manager web applications, if they allow http at all, redirect immediately to https. Therefore, any advantage of implementing HSTS in its current state and format will not change the possibility that the first packet is http, therefore it is reasonable to say that there is no added risk on the RSA Authentication Manager Web Tier servers to not deploying HSTS that would be removed by implementing or enforcing it.

 

RFE AM-30255 was created to assess this vulnerability, and it was shown that lacking HSTS does not affect

RSA Authentication Manager and neither removes or increases risk.

 

 

HTTP Strict Transport Security (HSTS) is a new(ish) technology (2012) that allows an application to force browsers to use only SSL/TLS (HTTPS, not HTTP) when they visit that application. This occurs when the application sets an HSTS-specific HTTP response header. Browsers that support HSTS recognize the response header and only communicate with that application over HTTPS for the specified time.

View solution in original post

Reply
6 Replies
EdwardDavis
Employee
Employee
‎2016-11-28 04:08 PM

Jump to solution

We do not have a way to implement this at this time.

This is not an actual exploitable vulnerability with HSTS and RSA Authentication Manager web services.

In case of Authentication Manager we do not use HTTP anywhere in the system, so even enabling HSTS should not make any difference.

 

HSTS is about ensuring HTTPS is used for web browser connections, and RSA Authentication Manager forces this to be true by default.

Adding HSTS response headers will not change much in this regard.

 

The RSA Authentication Manager web applications, if they allow http at all, redirect immediately to https. Therefore, any advantage of implementing HSTS in its current state and format will not change the possibility that the first packet is http, therefore it is reasonable to say that there is no added risk on the RSA Authentication Manager Web Tier servers to not deploying HSTS that would be removed by implementing or enforcing it.

 

RFE AM-30255 was created to assess this vulnerability, and it was shown that lacking HSTS does not affect

RSA Authentication Manager and neither removes or increases risk.

 

 

HTTP Strict Transport Security (HSTS) is a new(ish) technology (2012) that allows an application to force browsers to use only SSL/TLS (HTTPS, not HTTP) when they visit that application. This occurs when the application sets an HSTS-specific HTTP response header. Browsers that support HSTS recognize the response header and only communicate with that application over HTTPS for the specified time.

Reply
JayGuillette
Apprised Contributor Apprised Contributor
Apprised Contributor
In response to EdwardDavis
‎2017-08-10 06:29 PM

Jump to solution

AM 8.2 SP1 P1 had a bug fix for this for our Internet-facing Web Tier Servers, under Jira bug ID AM-30255 - AM 8.x/Web tier Web Logic servers enforce Strict-Transport-Security header - RFE for HSTS header

but it was not 100% effective, as a few incomplete HTTPS URLs were redirected to the complete URL but without the HSTS timeout included.  A second Jira Bug ID AM-31285 - [Customer] requires that the HSTS Strict-Transport-Security header be included on responses seen by the "curl" command line tool.

is being used to track the updated fix so that all Web Tier Responses include this HSTS timeout, whether or not the browser supports it.

 

These fixes are primarily being driven by
OMB Memorandum M-15-13: https://itsec.jpl.nasa.gov/omb_memo-m-15-13.pdf which says that the HTTPS only network must be accomplished via HSTS headers

 

Timeline looks to be early next year, 2018

0 Likes
Reply
KenSmith
Beginner
Beginner
In response to JayGuillette
‎2018-02-27 12:31 PM

Jump to solution

Any update on this? 

0 Likes
Reply
JayGuillette
Apprised Contributor Apprised Contributor
Apprised Contributor
In response to KenSmith
‎2018-02-27 01:18 PM

Jump to solution

AM 8.2 SP1 Patch 6 has this:
AM-31285 – HTTP Strict-Transport-Security headers were not included in responses sent between the web tier and the curl command-line interface tool.

0 Likes
Reply
KenSmith
Beginner
Beginner
‎2018-02-27 02:05 PM

Jump to solution

Well thats cool! I was searching for HSTS and didn't see anything. I guess I assumed a search would show release notes. I'm hoping the same goes for CSP (content security policy) for the web-tier. 

0 Likes
Reply
JayGuillette
Apprised Contributor Apprised Contributor
Apprised Contributor
In response to KenSmith
‎2018-02-27 03:47 PM

Jump to solution

Ha, I made the same mistake.  And I knew it was in Patch 6!

0 Likes
Reply
© 2023 RSA Security LLC or its affiliates. All rights reserved.