Bypassing HTTP Strict Transport Security

Jose Selvi
[email protected]

Abstract—For the last few years, some different attacks from the last HTTPS connection. After that, the policy outdates
against SSL/TLS have been released. Some of them based on and the browser returns to his usual behavior.
cryptography or protocol weaknesses such as BEAST, CRIME,
BREACH, etc, and some others, such as SSLStrip, based on An optional parameter in an HSTS is ’IncludeSubdomains’.
rewriting HTTPS links into HTTP ones and keep user com- If this parameter is set, then the HSTS policy applies to the
munications always in HTTP. In order to protect users against visited domain and all the subdomains as well. If not it only
SSLStrip attacks, a new protection called HTTP Strict Transport applies to the exact domain that the user has visited.
Security (HSTS) has been developed and it’s currently supported
by most widely used browsers. In addition, an HSTS policy prevents an user from ac-
cepting self-signed or abnormally signed certificates, since
However, under certain circumstances, an attacker could remember the certification authority (CA) that signed the
exploit an inter-operation vulnerability in order to bypass HTTP
previous seen certificate.
Strict Transport Security protection and use other well-known
attack techniques such as SSLStrip. In this paper, we review Unfortunately, HSTS is not a security feature that is
the HSTS strengths and weaknesses, and we go in-depth on this currently widely deployed in the Internet, since just a few
inter-operation vulnerability and how it could be exploited. websites use it. However, some reference companies such as
Twitter, Paypal or Google use this security feature.
I. B RIEF H ISTORY OF B YPASSING SSL
Most desktop browsers support this security feature as
SSL/TLS is certainly one of the most important protocols in well. Some of them share a ’Preloaded HSTS’ list [6][7]
the security field since on it relies our communications privacy that contains a domain list of hosts that should be configured
and security. Because of that, it’s a target for both attackers automatically even before the first HTTPS connection, so users
and security professionals. remain protected after a fresh install or after wiping out their
local state.
In the past few years some different techniques have been
presented. Some of them focused on design weaknesses such
as BEAST [1], CRIME [2] or BREACH [2], some other III. N ETWORK T IME P ROTOCOL (NTP)
based on exploting some implementations weaknesses such as The Operating Systems use the Internet for a big amount
HeartBleed or the famous Apple goto fail vulnerability. of internal tasks or features such as software updates, the
Moxie Marlinspike [4] presented one of the most used OS activation itself and so on. One of those features is the
techniques, based on stripping a previous HTTP connection Time Synchronization. By default, almost all the desktop
by rewriting all the HTTPS links into HTTP ones, changing operating systems automatically synchronize its time with In-
properties of cookies and other similar changes. Since users ternet Servers usually owned by the operating system provider
usually type only website name in his browser and not the full (for example ’time.windows.com’ for Microsoft operating sys-
URL, their fists connection would be an HTTP one, so it could tems).
be intercepted and stripped. All of them use different versions (v3 or v4) of the Network
Time Protocol (NTP) [8][9][10] that is widely used to provide
II. HTTP S TRICT T RANSPORT S ECURITY time synchronization between computers.
HTTP Strict Transport Security [5] (also known as HSTS or NTP messages are sent via UDP packets (123/UDP). The
STS) is the industry response for the Moxie’s stripping attacks message format is the same for both requests and responses,
and his tool SSLStrip. but each peer use a different set of fields and ignore the rest
of them.
HSTS protocol defines a new HTTP header called ’Strict-
Transport-Security’ that can be sent by a webserver to his Most important fields are:
clients in order to specify a new policy regarding how the
• Leap (LI): Leap is a warning indicator that should be
browser in going to handle the future connections.
usually set to zero. Clients often set this value to 3
There are two main parameters in an HSTS policy. One of (clock unsynchronized) when request time synchro-
them is ’max-age’ that represents the amount of seconds that nization.
the browser should connect in HTTPS-only mode. As a result,
• Version (VN): NTPv3 (3) or NTPv4 (4).
a browser that receive an HSTS policy with ’max-age:1000’
from ’mywebsite.com’ would stay using HTTPS if the user • Mode: Usually client (3) or server (4) depending if it is
clicks on HTTP links or even if the user type an HTTP link. a request or a response. Other values are also possible
That policy would be active for the following 1000 seconds but they are not used in by default NTP configuration.
 Usage: delorean.py [options]

Options:
-h, --help show this help message and exit
-i INTERFACE, --interface=INTERFACE
Listening interface
-p PORT, --port=PORT Listening port
-n, --nobanner Not show Delorean banner
-s STEP, --force-step=STEP
Force the time step: 3m (minutes), 4d (days), 1M
(month)
-d DATE, --force-date=DATE
Force the date: YYYY-MM-DD hh:mm[:ss]
-k SKIM, --skim-step=SKIM
Skimming step: 3m (minutes), 4d (days), 1M (month)
-t THRESHOLD, --skim-threshold=THRESHOLD
Skimming Threshold: 3m (minutes), 4d (days), 1M
(month)
-r, --random-date Use random date each time
Fig. 1. NTP Packet

Delorean can be used in five different modes:

• Stratum: Usually from 2 to 15. Values 0 and 1 are used
• Automatic: If not other mode is selected, Delorean
by reference clocks and primary servers and shouldn’t
works in an automatic mode. In this mode, Delorean
be used by NTP servers.
tries to find a date at least 1000 days in the future with
• Precision: Usually -18 or -20 (microseconds). Preci- the same month day and weekday than the current one.
sion of the system clock. Value in log2 seconds. It makes harder for the user to detect that something
happened on his computer clock.
• Root delay & dispersion: Total round-trip and dis-
persion from de reference clock. Value in NTP short • Step mode (-s): Using this mode you can choose how
format. many seconds, hours, days, etc you want to jump to
the future. The base date and time are the local date
and time in the host that runs Delorean.
• Date mode (-d): Using this mode you can choose the
exact date and time when you want to jump to the
Fig. 2. NTP Short Format future.
• Random mode (-r): This mode makes Delorean to
• Reference identifier: Server identifier, usually his IP answer with different date and time on each response.
Address. Useful for testing integer overflows and other similar
• Timestamps: Different values that are used by the issues in NTP implementations.
client in order to calculate the current date and time. • Skimming Attack (-k & -t): This mode makes De-
Values in NTP format lorean work in a different way. It is compatible with
all the previous modes but it jumps to the future in
several steps (-k) instead of a single one. The flag ’t’
makes Delorean to jump that amount of time before
the ’-k’ time.

Fig. 3. NTP Format

Delorean can’t intercept communications itself, so it should
be used with other tools such as arpspoof + iptables, metas-
ploit’s fakedns, etc.
NTPv4 supports authentication based on asymmetric cryp-
tography. The server signs NTP messages using his own private V. T IME S YNCHRONIZATION IN MAJOR OS
key. As a result, clients can verify messages integrity, so Man- Even though all major operating systems use NTP as a
in-the-Middle techniques shouldn’t be possible. Time Synchronization Protocol over the Internet, they use it
However, none operating system use authentication, so all in a different ways. Some of them synchronized each few
of them would be vulnerable to Main-in-the-Middle attacks. minutes, some others only under certain circumstances or using
more complex algorithms.
IV. D ELOREAN : A N NTP M IT M TOOL
A. Ubuntu Linux
In order to perform NTP Man-in-the-Middle attacks, a new
tool called ’Delorean’ has been developed and it is available Ubuntu Linux perhaps is the most widely used desktop
for download at Github. His name, as you probably know, is linux distribution.
a reference to the well-known 80’s film ’Back to the future’ It doesn’t run a NTP daemon itself but it is configured
and its time machine. by default to synchronized via ’ntpdate’ command each time
Delorean is a python script based on the kimifly’s tool a network interface goes up. It uses unauthenticated NTPv4
’ntpserver’ [11] but adding some additional options for on- messages, so it is be vulnerable to MitM attacks.
the-fly manipulation.
$ ls /etc/network/if-up.d/
000resolvconf avahi-daemon ntpdate wpasupplicant
$ ./delorean.py -h avahi-autoipd ethtool upstart
 In those environments where an attacker could control the 0 44 1 0 8:50PM ?? 0:00.04 /usr/sbin/ntpd -c /private/etc/ntp-restrict.conf
-n -g -p /var/run/ntpd.pid -f /var/db/ntp.drift
physical medium (fake AP, switch controlling, deauthentica-
tion) he could force an interface down and up. When going
up, the time would be synchronized, so it could be intercepted In Mavericks the ntpd daemon doesn’t change the system
and manipulated by Delorean. time by its own. It writes the detected drift in the file
’/var/db/ntp.drift’. There is also another important difference.
The daemon in launched with the ’panicgate’ option. It makes
B. Fedora Linux the ntpd daemon to accept big time adjustments (more than
Fedora Linux perhaps is another widely used desktop linux 1000 seconds by default) but only once.
distribution. $ ps -ef | grep pacemaker
0 60 1 0 8:50PM ?? 0:00.10 /usr/libexec/pacemaker -b -e 0.0001 -a 10
Unlike what happens with Ubuntu, Fedora runs a NTP
daemon called ’chronyd’ that synchronizes each minute. It The second one daemon is called ’pacemaker’ [13] and it
uses unauthenticated NTPv3 messages, so it is be vulnerable is checking the drift file for changes each 10 seconds. It slew
to MitM attacks. The default chrony configuration use the the clock or completely change it with the new date and time
parameter ’rtcsync’ witch means that the system time is copied depending on the adjustment needed.
to the real time clock each 11 minutes.
There is an exception in this process. When the user opens
# netstat -anp | grep 123
udp 0 0 0.0.0.0:123 0.0.0.0:* 540/chronyd the ’Date & Time Preferences’ the system clock automatically
udp6 0 0 :::123 :::* 540/chronyd
updates and any security restriction is consider.
Waiting up to one minute, an attacker could intercept and E. Microsoft Windows
manipulate that communication with Delorean and control the
desktop’s system time. After up to 11 minutes of intercepting Microsoft Windows is the securest NTP implementation
those messages, the new time would be applied to the host. from the major operating systems. It doesn’t use authentica-
tion (in a standalone configuration) but it implements some
C. Mac OS X Lion additional security features that make more difficult a reliable
exploitation.
Mac OS X Lion (probably all pre-Mavericks versions) runs
a NTP daemon called ’ntpd’ [12] that synchronizes each 9 One of them is the synchronization period. Windows by
minutes. It uses unauthenticated NTPv4 messages, so it is be default only synchronizes once a week: Sunday at 02:00. If
vulnerable to MitM attacks. the computer is not running then, the synchronization is made
in the next boot (if it’s in the next three days).
09:02:18.166708 IP 192.168.1.100.123 > 17.72.148.53.123: NTPv4, Client, length 48
09:02:18.224746 IP 17.72.148.53.123 > 192.168.1.100.123: NTPv4, Server, length 48 The second security feature is the ’MaxPosPhaseCorrec-
09:11:20.059792 IP 192.168.1.100.123 > 17.72.148.53.123: NTPv4, Client, length 48
09:11:20.116683 IP 17.72.148.53.123 > 192.168.1.100.123: NTPv4, Server, length 48 tion’ and ’MinPosPhaseCorrection’ parameters that are set in
09:20:17.951361 IP 192.168.1.100.123 > 17.72.148.53.123: NTPv4, Client, length 48
09:20:18.013108 IP 17.72.148.53.123 > 192.168.1.100.123: NTPv4, Server, length 48 the windows registry (HKEY LOCAL MACHINE
SYSTEM\CurrentControlSet\Services\W32Time\Config).
Waiting up to 9 minutes, an attacker could intercept and These parameters specify the maximum and minimum amount
manipulate that communication with Delorean and control the of seconds that the clock can be adjusted by the time
desktop’s system time. synchronization. Any time update greater is automatically
ignored. In windows desktop systems such as Windows 7 or
D. Mac OS X Mavericks 8, these parameters are set to 15 hours, while in servers such
as Windows Server 2012 they are set to 48 hours [14].
Mac OS X Mavericks changed its time synchronization
model. The ’ntpd’ daemon [12] still exists but it sends NTP As a result, there is a narrow attack surface in a default
messages in a less predictable way. However, even not being configured windows computer. However, there are lots of non
predictable, you should be able to intercept at least one NTP official articles in the Internet that recommend to synchronize
message waiting for some minutes. the time more often, maybe each hour or even each 5 minutes.
If the user set up his computer in order to synchronize
20:57:59.038956 IP 192.168.1.100.123 > 17.151.16.21.123: NTPv4, Client, length 48 more often than his own MaxPosPhaseCorretion time then his
20:57:59.247494 IP 17.151.16.21.123 > 192.168.1.100.123: NTPv4, Server, length 48
21:06:53.259078 IP 192.168.1.100.123 > 17.151.16.21.123: NTPv4, Client, length 48 computer would become vulnerable to Time Skimming attacks.
21:06:53.462394 IP 17.151.16.21.123 > 192.168.1.100.123: NTPv4, Server, length 48
21:15:54.423944
21:15:54.629670
IP
IP
192.168.1.100.123 > 17.151.16.21.123:
17.151.16.21.123 > 192.168.1.100.123:
NTPv4,
NTPv4,
Client,
Server,
length
length
48
48
There is an exception in this process. When the user
21:32:24.624282
21:32:24.833084
IP
IP
192.168.1.100.123 > 17.151.16.21.123:
17.151.16.21.123 > 192.168.1.100.123:
NTPv4,
NTPv4,
Client,
Server,
length
length
48
48
manually requests a time synchronization, when any security
21:57:18.017906
21:57:18.211821
IP
IP
192.168.1.100.123 > 17.151.16.21.123:
17.151.16.21.123 > 192.168.1.100.123:
NTPv4,
NTPv4,
Client,
Server,
length
length
48
48
restriction is consider.
22:30:32.740008 IP 192.168.1.100.123 > 17.151.16.21.123: NTPv4, Client, length 48
22:30:32.930711 IP 17.151.16.21.123 > 192.168.1.100.123: NTPv4, Server, length 48
VI. T IME S KIMMING ATTACK
Mac OS X Mavericks synchronizes each 9 minutes, as A Time Skimming Attack works in a similar way than a
other Mac OS Xs, but the synchronization interval increase ’Stone Skimming’ effect. Perhaps the attacker can’t jump to
when the computer is not being intensive using. For example, the proper date in the future, but if he can jump a few seconds
in an unattended MacBook it increases up to around 30 minutes before the next time synchronization then he could reach the
or even more. proper date by doing multiple jumps to the future.
$ ps -ef | grep ntpd # ./delorean.py -k 12h -t 30s
Sent to 192.168.10.31:123 - Going to the future! 2014-09-27 01:32 [4] http://www.thoughtcrime.org/software/sslstrip/
Sent to 192.168.10.31:123 - Going to the future! 2014-09-27 13:32
Sent to 192.168.10.31:123 - Going to the future! 2014-09-28 01:32 [5] https://tools.ietf.org/html/rfc6797
Sent to 192.168.10.31:123 - Going to the future! 2014-09-28 13:32
Sent to 192.168.10.31:123 - Going to the future! 2014-09-29 01:32 [6] http://dev.chromium.org/sts
Sent to 192.168.10.31:123 - Going to the future! 2014-09-29 13:32
Sent to 192.168.10.31:123 - Going to the future! 2014-09-30 01:32 [7] https://developer.mozilla.org/en-US/docs/Web/Security/HTTP strict transport security
Sent to 192.168.10.31:123 - Going to the future! 2014-09-30 13:32
Sent to 192.168.10.31:123 - Going to the future! 2014-09-01 01:32 [8] https://tools.ietf.org/html/rfc1308
Sent to 192.168.10.31:123 - Going to the future! 2014-09-01 13:32
[...]
[9] https://tools.ietf.org/html/rfc5905
[10] https://tools.ietf.org/html/rfc4330
Some Windows or Mac OS X configurations could be [11] https://github.com/limifly/ntpserver
vulnerable to this kind of attacks. [12] https://developer.apple.com/library/mac/documentation/Darwin/Reference/
ManPages/man1/ntpd.1.html
[13] https://developer.apple.com/library/mac/documentation/Darwin/Reference/
VII. B ROWSERS & P RELOADED HSTS ManPages/man8/pacemaker.8.html
Using the Delorean tool, under certain circumstances and [14] http://technet.microsoft.com/es-es/library/dd723684(v=ws.10).aspx
configurations, could allow to manipulate the system time [15] http://support2.microsoft.com/kb/884776/es
and force the HSTS policies to expire. However, there is an
extra security feature in browsers: the preloaded HSTS. When
reading its documentations it seems that preloaded hosts are
enforced by default so they wouldn’t be vulnerables to time
manipulation attacks but the real truth is that those hosts are
’preloaded’ but not ’static’ on most browsers, so they would
be vulnerable as well.
For example in Chrome, the enforced hosts in the
’Preloaded HSTS’ list are configured with a 1000 days policy.
These policies can be overwritten when the browser visits de
host for the first time.

Fig. 4. Chrome Source Code

Only one tested browser, Safari, seems to configure those

preloaded hosts as a static values (’inf’/’-inf’), so hosts
preloaded by Safari couldn’t be attacked using these tech-
niques.

VIII. C ONCLUSION
We have reviewed how the major desktop operating sys-
tems work regarding its time synchronization and we have
found that, on certain systems and under certain circumstances,
an NTP MitM attack is possible and it could be used in order
to force HSTS policies to expire. We have developed a NTP
MitM tool, called Delorean, that could be used to perform the
proposed attacks.

R EFERENCES
[1] J.Rizzo and T.Duong, BEAST, Ekoparty 2011.
[2] J.Rizzo and T.Duong, CRIME, Ekoparty 2012.
[3] A.Prado, N.Harris and Y.Gluck, BREACH, Black Hat USA 2013.