Following the EFF's recent missive on HTTPS protocol security and the numerous ways in which persistent attackers can work around it to compromise website traffic and data, we're developing a list of ways in which we can go above and beyond standard HTTPS encryption to guard against persistent attacks. What are the most effective tactics we should consider?
Ask a question
SearchSecurity.com expert Michael Cobb is standing by to answer your questions about enterprise application security and platform security. Submit your question via email: email@example.com.
The Electronic Frontier Foundation (EFF), a donor-funded nonprofit organization, has long highlighted the need for websites to use HTTPS correctly and the necessity of a better solution to the certificate authority (CA) infrastructure. The EFF’s article “How to Deploy HTTPS Correctly” covers several areas of server configuration that site administrators often fail to implement.
Transitioning a site to HTTPS is not overly difficult. All HTTP requests with HTTP 301 or 302 responses can be redirected to the equivalent HTTPS resource. Also, Google and Mozilla browsers support the HTTP Strict Transport Security (HSTS) protocol extension that instructs browsers to expect the site to use HTTPS. If a site uses HTTPS, you should also set the scope and secure attributes on any cookie to prevent it from being sent to a non-HTTPS page.
An organization should also implement a content security policy, which requires configuring its Web server to return the X-Content-Security-Policy HTTP header to specify its policy. This is a string containing policy directives to indicate the class of content that is to be restricted by the browser and the range of permitted behavior for that content class. Typically, this is a location, such as a network host, which is permitted to serve content of a particular type. For example, to allow content from a trusted domain and all of its subdomains, the header would look similar to this:
X-Content-Security-Policy: default-src 'self' *.trusteddomain.com
Although the content security policy specification is only a public working draft, it is likely to become a W3C recommendation.
The aforementioned security measures reduce the chances of a site, and those who visit it, from being compromised. However, HTTPS cannot completely prevent persistent attacks, such as those that reside on the site undetected and affect everyone who visits the site. For example, a cross-site scripting (XSS) attack that involves posting malicious code via a comment form on a website and attacks anyone that views the comment, is a persistent attack.
To combat this type of attack, an organization should ensure that all non-static data is validated before it is processed by any Web server application or script. For example, if the code expects an input to be an integer, this requires testing to ensure it is an integer. To do this effectively, an organization needs to declare and use the same HTML encoding throughout its site and scripts. This prevents attackers from slipping through filters by encoding characters using a different character set. There are many ways to break HTTPS, but it is still the best method of providing authentication and encryption between a server and a client. So, make sure the organization has a valid SSL certificate for its website with a minimum key length of 1024 bits.
This was first published in April 2012