Nov 25, 2010

Still no HSTS in FF4 nightly or Chrome 7

This weekend i blogged about my proof-of-concept implementation of Strict-Transport-Security in Struts 2 and the fact that I didn't get the expected behavior in Firefox 4 nightly or Chrome 7, only in Firefox 3.6.12 + NoScript.

Mozilla have responded and cannot reproduce the problem/bug. So I set up the stuff again and really made sure I did it right.

The Problem
The problem is that the draft specification of HTTP Strict Transport Security (HSTS) doesn't make clear what should happen for non-default ports, i e 80 for HTTP and 443 for HTTPS. Unclear specs typically lead to undefined and different behavior between implementations.

For proper security HSTS should always switch from HTTP to HTTPS for HSTS-enabled sites within the max-age time space. After my blog post Andy Steingruebl addressed the issue on his blog.

My Setup
I've set my HSTS max-age to 30 seconds to be sure it won't time out. For each test I do the following:
  1. Make sure the browser at hand fully trusts my self-signed SSL cert for john.com. In the case of Chrome this means adding the cert to the Mac OS system keychain and activating SSL trust for it. In the case of Firefox it means adding a permanent security exception to the browser.
  2. Load http://john.com:8080/struts2/register to make sure it loads over HTTP.
  3. Load https://john.com:8443/struts2/register that should set the HSTS max-age to 30 seconds.
  4. Load http://john.com:8080/struts2/register to make sure it switches to HTTPS.
Still Works in FF 3.6 + NoScript
First I confirmed that Firefox 3.6.12 + NoScript still detects my strict-transport-security header and switches from HTTP to HTTPS. Se screenshot below. Sorry for the Swedish error message :), but in essence Firefox has switched to HTTPS without changing the port and my server simply doesn't respond with an HTTPS connection on that port.


Chrome 7 Does Not Switch to HTTPS
Performing the four test steps in Chrome 7.0.517.44 does not result in the browser switching to HTTPS. Instead it gladly loads john.com over HTTP after having got the HSTS header. I tested this both by reloading a tab with the HTTP URL and by opening a new tab and entering the HTTP URL to make sure Chrome's sandboxing and one-process-per-tab was not the cause.

The screenshots below also show the HSTS header. First the HTTPS load:


... then the HTTP load:


Firefox 4.0b8pre (aka Minefield) Does Not Switch to HTTPS
The four test steps in the nightly build of Firefox 4 beta does not result in a switch to HTTPS either. See screenshots below.

First the HTTPS load:

... then the HTTP load:


Conclusion
I am always humble in these kind of cases. There might be errors or misunderstandings in my setup. Nevertheless, I think these test should work, at least to make me confident in Chrome's and Firefox's support for HSTS.

1 comment: