RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
This article explains the HSTS header and how to troubleshoot HSTS cases and explains that a scan could find no HSTS if the Help on a Security Console of Self-Service Console page is accessed. The static help pages do not have HSTS enabled, but neither can they be changed, they accept no input or post commands.
RSA has enabled HSTS on our console pages since Authentication Manager 8.2 patch 6. We no longer allow the initial redirect from http to https. For example, http://am82p.vcloud.local:7004/console-ims used to work, in that it redirected tohttps://am82p.vcloud.local:7004/console-ims, but that is no longer true. For example,
http://am82p.vcloud.local:7004/ - ERR_EMPTY_RESPONSE
http://am82p.vcloud.local:7004/console-ims - ERR_EMPTY_RESPONSE
Port 7002 for Authentication Manager replication behaves the same way because it does not process any http or https, only internal Authentication Manager processes communicate over the 7002 port.
While default port 7004 has no http or https pages on them.
In your browser, point to any RSA Authentication Manager Security Console or Self-Service Console page, and right-click to chose Inspect. Select Network. then look at the Header Response. See details in Resolution.
What is HTTP Strict Transport Security (HSTS)?
HSTS stands for HTTP Strict Transport Security. Websites use HSTS to It is a method used by websites to say that they should only be accessed using a secure connection, that is, HTTPS. For websites that invoke an HSTS policy, the browser must refuse all HTTP connections and prevent users from accepting insecure SSL certificates. HSTS is currently supported by most major browsers (only some mobile browsers fail to use it).
The HSTS header is received in the first response from the web server and it is managed by the browser. Once it is received, the browser will always use HTTPS for this specific domain for a certain amount of seconds, known as max-age, which will be set in the header itself as highlighted below:
Detailed information on HSTS
For a more detailed explanation, please review HTTP Strict Transport Security (HSTS) for RSA Authentication Manager 8.x.
Reasons for HSTS false positive results
When a vulnerability scanner reports a finding of No HTTP Strict Transport Security (HSTS) headers, it is important to note the details, because there could be several reasons for this finding based on the URL reported. For example,
Checking for HSTS
- Login to your primary Authentication Manager Security Console (https://<AM_server_FQDN>:7004/console-ims).
- Press [F12] to open browser developer tools.
- Press [F5] to refresh your page.
- Go to the Network tab.
- Go to the Headers tab.
- In your browser, go to https://<AM_server_FQDN>:7004/console-ims/index.jsp. If you don't see https://<AM_server_FQDN>:7004/console-ims/index.jsp, look for https://<AM_server_FQDN>:7004/console-ims/TokenError.jsp in the Header list.
- Scroll down to Response Headers section. Here you will see the strict-transport-security setting.
If your scan finds that HSTS is missing, copy and paste the URL from the scan finding into your browser, to see if it is valid. Internal ports for services such as replication do not have web pages associated, therefore cannot be exploited by HTTP attacks. These pages will show either an invalid request message or an HTTP error, such as 400 or 404.
If your scanner finds a help page with a URL that contains /console-infocenter/ without HSTS, the response from RSA Engineering is that help pages are static and cannot be changed; therefore, they are not vulnerable to any HTTP exploit from which HSTS would protect.
field is used to force the HTTP traffic to any of the subdomains to get redirected to HTTPS instead.
How can we delete the HSTS settings?
- Navigate to chrome://net-internals/#hsts. This is Chrome’s UI for managing your browser’s local HSTS settings.
- First confirm the domain’s HSTS settings are recorded by Chrome by typing the hostname into the Query HSTS/PKP domain section at the bottom of the page.
- Click Query. If the query box returns Found with settings information below, the domain’s HSTS settings are saved in your browser. Note that this is a very sensitive search. Only enter the hostname, such as www.example.com or example.com without a protocol or path.
- Type the same hostname into the Delete domain security policies section and click Delete, Your browser will no longer force an HTTPS connection for that site!
What is HSTS Preloading?
There is still a window where a user who has a fresh install, or who wipes out their local state, is vulnerable. Because of that, Chrome maintains an HSTS Preload List (and other browsers maintain lists based on the Chrome list). These domains will be configured with HSTS out of the box.
If, for example, the customer owns a site or has a Self-Service Console that they would like to see included in the preloaded HSTS list you can submit the request to HSTS Preload. The header should look like the example below:
RSA Support is aware of a vulnerability scan identifying a console help page that did not have HSTS set, which is why you should ask about specific URL details from any scan finding. RSA Engineering's response here is that this is not exploitable and has no inherent risk because;
- Authentication Manager has already sent the browser the HSTS setting for two years, so the browser should honor that setting, and
- These help pages are static with no option to do anything involving an upload or post.
If you Security Team does not accept these responses from RSA Engineering that HTTP error pages do not need HSTS enabled, please contact RSA Support
and ask about the instructions on how to add HSTS headers to all Authentication Manager service responses, even for invalid URLs which return error such as 404. This manual configuration will eventually be added to Authentication Manager patches, but no timeline has been set.
Note: You can add HSTS to the *wrapper files associated to the Authentication Manager services such as admin services, biztier and console services. Please contact RSA Support
for more information. Engineering is considering adding these in a future patch.