Abstract
We have conducted the first in-depth empirical study of two important new web security features: strict transport security (HSTS) and public-key pinning. Both have been added to the web platform to harden HTTPS, the prevailing standard for secure web browsing. While HSTS is further along, both features still have very limited deployment at a few large websites and a long tail of small, security-conscious sites. We find evidence that many developers do not completely understand these features, with a substantial portion using them in invalid or illogical ways. The majority of sites we observed trying to set an HSTS header did so with basic errors that significantly undermine the security this feature is meant to provide. We also identify several subtle but important new pitfalls in deploying these features in practice. For example, the majority of pinned domains undermined the security benefits by loading non-pinned resources with the ability to hijack the page. A substantial portion of HSTS domains and nearly all pinned domains leaked cookie values, including login cookies, due to the poorly-understood interaction between HTTP cookies and the same-origin policy. Our findings highlight that the web platform, as well as modern web sites, are large and complicated enough to make even conceptually simple security upgrades challenging to deploy in practice.
| Original language | English (US) |
|---|---|
| DOIs | |
| State | Published - 2015 |
| Event | 22nd Annual Network and Distributed System Security Symposium, NDSS 2015 - San Diego, United States Duration: Feb 8 2015 → Feb 11 2015 |
Conference
| Conference | 22nd Annual Network and Distributed System Security Symposium, NDSS 2015 |
|---|---|
| Country/Territory | United States |
| City | San Diego |
| Period | 2/8/15 → 2/11/15 |
ASJC Scopus subject areas
- Computer Networks and Communications
- Control and Systems Engineering
- Safety, Risk, Reliability and Quality