Upgrading HTTPS in Mid-Air: An Empirical Study of Strict Transport Security and Key Pinning

Abstract:

We have conducted the first in-depth empirical
study of two important new web security features: strict transport
security (HSTS) and public-key pinning. Both have been added to
the web platform to harden HTTPS, the prevailing standard for
secure web browsing. While HSTS is further along, both features
still have very limited deployment at a few large websites and a
long tail of small, security-conscious sites. We find evidence that
many developers do not completely understand these features,
with a substantial portion using them in invalid or illogical ways.
The majority of sites we observed trying to set an HSTS header
did so with basic errors that significantly undermine the security
this feature is meant to provide. We also identify several subtle
but important new pitfalls in deploying these features in practice.
For example, the majority of pinned domains undermined the
security benefits by loading non-pinned resources with the ability
to hijack the page. A substantial portion of HSTS domains and
nearly all pinned domains leaked cookie values, including login
cookies, due to the poorly-understood interaction between HTTP
cookies and the same-origin policy. Our findings highlight that
the web platform, as well as modern web sites, are large and
complicated enough to make even conceptua