HSTS-Enforcer - "HTTPS Everywhere" on steroids

HSTS is a great security mechanism and more servers should support it. The purpose of HSTS is easy to understand; you should only connect with a validated certificate-chain to this server(the certificate can't be fully self-signed).

HSTS protects against two sorts of attacks in general:

  • man-in-the-middle attacks where the certificate is self-signed
  • SSLStripping(abusing 302-redirects)

Also, HSTS does not allow plaintext connections. If HSTS is active for a domain, only HTTPS-connection will be established. If an HTTP-link is offered it will be upgraded to an HTTPS and if that fails the connection will be denied.

Note: HSTS only becomes active once the user has received the HSTS-field from the server. Or if the domain is in the HSTS-preload-list but I won't go into detail of that here.

Enter HSTS-Enforcer

HSTS-Enforcer is a Chrome extension that adds the Strict-Transport-Security:-field on every HTTPS-connection. This will be saved so Chrome will remember to always use HTTPS on this connection. The default time Chrome will remember to always use HTTPS is 6 months.

If a site already uses HSTS nothing will be added.

There already is a few examples of websites that offer HTTPS but not HSTS, examples are imgur.com, flashback.org, countermail.com, 9gag.com and soundcloud.com

HSTS-Enforcer vs. HTTPS Everywhere

So what's the difference you may think. Well, the purpose of HTTPS Everywhere is to offer HTTPS on sites that offers both HTTP and HTTPS, but not by any means enforce it. HTTPS Everywhere is built by lists and these list can't cover all possible websites.

HTTPS Everywhere has become more and more unnecessary because more websites than ever only offers HTTPS, but still these domains are in the HTTPS Everywhere-list. Why? I have no idea - there's no reason to enforce HTTPS when the server does that for you, but it could be that HTTPS Everywhere will redirect to HTTPS even if there's an hacker on the network that uses SSLStripping and therefor the web browser will deny connection due to a redirect-chain(in Chrome: ERR_TOO_MANY_REDIRECTS).

So, HTTPS Everywhere's purpose is to offer HTTPS when available and HSTS-Enforcer's only purpose is to only accept valid HTTPS-connections.

HSTS-Enforcer + HTTPS Everywhere = ♥

Because HSTS-Enforcer don't know which sites that offer HTTPS, HTTPS Everywhere can help out! The cooperation between then can be something like this:

Everywhere: Hey, this website offer HTTPS so redirecting to HTTPS!
Enforcer: This website does not have any HSTS so I'll add that awesome header!

Can't HSTS break stuff?

Unfortunately, yes it can. Some horrible horrible websites thinks it's a great idea to redirect from HTTPS to HTTP and once the HSTS has been sat there's no way back. So this will cause a conflict because the server tells the client to use HTTP but the client will no way in hell use that so it will just break.

So this was a hard choice. Should we let the user decide which websites that they want to whitelist, or websites that they want to use HSTS on? Or just manually add sites that break with HSTS on because then the extension will be easier to use and fully automatic.

We don't know yet. But this extension will more be for the skilled user as we see it from now. It's too soon to say if the hardcoded blacklist will be effective enough, until then the user needs to manually delete the HSTS-rule from Chrome.

But right now we haven't seen so many breaks on the web but we gladly accept pull requests so we can add them.

The way I found websites that redirects from HTTPS to HTTP was by downloading the 1 million top websites in Alexa and force cURL to connect via HTTPS and look for a Location:-field that pointed to HTTP. This means that the website offers HTTPS(because an HTTP header was revived) but the server tells the client to use HTTP, and in this matter HSTS-Enforcer has already injected the HSTS-header.

So by adding an array of websites where HSTS-Enforcer should ignore to set the HSTS-field was added.

If you want to get HSTS-Enforcer you can install by downloading it via the Chrome Web Store: https://chrome.google.com/webstore/detail/hsts-enforcer/ingdjdekfhnapeoiiinplcadnfimnnkh

And if you want to create an issue, pull request or just look at the code you can find it on Github: https://github.com/redpois0n/hsts-enforcer-chrome