Understanding the problem that HSTS solves

Published: 04 January 2023
on channel: Cyber Technical knowledge

944

Understanding the problem that HSTS solves
#HSTS #SOLVes #websecurity #HTTPSsecurity #HTTPS #HTTP #webappsecurityrisks #websitehacking #hackingcourses #hacking

A quick look at what HSTS is and how to clear it on two of the most popular browsers.
HSTS stands for HTTP Strict Transport Security, it’s a web security policy mechanism that forces web browsers to interact with websites only via secure HTTPS connections (and never HTTP). This helps to prevent protocol downgrade attacks and cookie hijacking.

HSTS was originally created in response to a vulnerability that was introduced by Moxie Marlinspike in a 2009 BlackHat Federal talk titled “New Tricks for Defeating SSL in Practice.” The particular vulnerability that HSTS defends against is the one illustrated by Marlinspike’s SSLStrip tool.

Essentially the tool works by converting secure HTTPS connections back to unsecured HTTP ones. HSTS remedies this by communicating to the browser that an HTTPS connection should always be in place. HSTS can also help to prevent cookie-based login credentials from being stolen by common tools such as Firesheep.

Unfortunately, some HSTS settings can inadvertently cause browser errors. For instance, if you’re using Chrome, you might run into:

“Privacy error: Your connection is not private” (NET::ERR_CERT_AUTHORITY_INVALID).

If you attempt to reach the same site on another browser and don’t run into the same issues, it could just be a problem with how the HSTS settings have affected your original browser. In that case, you will need to clear them. Here’s how to clear HSTS settings on Google Chrome and Mozilla Firefox.

Clear and Forget HSTS Settings In Popular Browsers.
If your browser has stored HSTS settings for a domain and you later try to connect over HTTP or a broken HTTPS connection (mis-match hostname, expired certificate, etc) you will receive an error. Unlike other HTTPS errors, HSTS-related errors cannot be bypassed. This is because the browser has received explicit instructions from the browser not to allow anything but a secure connection.

HSTS settings include a “max-age” option, which tells the browser how long to cache and remember the settings before checking again. In order to immediately proceed past the error, you will need to delete your browser’s local HSTS settings for that domain. Instructions on how to do so are below.

These settings need to be cleared in each browser. As a developer, you may run into this error if you are testing an HSTS configuration. In Chrome, you can receive this error on localhost. If you have deployed HSTS onto a live site for end users, it may be infeasible to correct the errors they are having depending on the size of your audience. Each user needs to delete their local HSTS settings or wait for them to expire according to the ‘max-age’ that was set.

Also note that if the website is still serving the HSTS header, your browser will store it as soon as you visit the site again. So you must first stop sending that header if you don’t want the error to reoccur.

Neither Chrome nor Firefox have a unique error code for HSTS errors, but the interstitial error pages will include information about HSTS.

Delete HSTS Settings
Note that these instructions are mainly useful for developers who were testing HSTS and now need to delete the settings. For a website you do not control, deleting your browser’s local HSTS settings will not help if the website is still serving an HSTS header as your browser will simply save the settings again on each visit/refresh.
Disclaimer:
This video is made available for educational and informational purposes only. We believe that everyone must be aware of ethical hacking and cybersecurity to avoid different types of cyberattacks on computers, websites, apps, etc. Please regard the word hacking as ethical hacking every time we use it.
All our videos have been made using our own systems, servers, routers, and websites. It does not contain any illegal activities. Our sole purpose is to raise awareness related to cybersecurity and help our viewers learn ways to defend themselves from any hacking activities. Cyber Technical Knowledge is not responsible for any misuse of the provided information.

#Penetrationtesting #vulnerabilitymanagement #vulnerabilityassessment
#zerodayvulnerability #Nmap #burpsuite #metaspolite
#howtohackcompanywebsit #whatisvulnerability #threat #Risk #Tenable #Nessus #qualysguard #Rapid7 #Kali
#Howtoinstallkalilinux #DirectoryTraversal #Discovering #Framework #Risks #Identifying #vulnerable #targets #shodan
#OWASPtop10 #Webappsecurityrisks #SystemHacking #NetworkHacking #RouterHacking #WorkstationHacking #SwitchHacking
#Ciscofirewallhacking #fortigate #Machacking #macos

Watch video Understanding the problem that HSTS solves online without registration, duration hours minute second in high quality. This video was added by user Cyber Technical knowledge 04 January 2023, don't forget to share it with your friends and acquaintances, it has been viewed on our site 94 once and liked it 2 people.