Man-in-the-middle attack on Mobile Facebook possible due to lack of HSTS header

Y	Hacker News new \| ask \| show \| jobs

	Man-in-the-middle attack on Mobile Facebook possible due to lack of HSTS header (gist.github.com)
	39 points by nelse 4632 days ago

5 comments

pmh 4632 days ago

It's important to note that even if the HSTS header was present on the mobile site, the exploit would still be possible since many mobile browsers do not support HSTS[1].

[1]http://michael-coates.blogspot.com/2013/09/security-capabili...

link

ancarda 4632 days ago

>We are slowly rolling out HSTS across the entirety of Facebook's infrastructure. The fact that m.facebook.com does not send this header currently is by design.

Why not? For browsers that don't support HSTS, the header will be ignored. For those that do support it, the end-user gets better security. Is there a feasible reason for not enabling it everywhere? My guess would be so Facebook can disable SSL for certain browsers?

link

matt_heimer 4632 days ago

I don't get this header. Wouldn't the man-in-the-middle that is using something like sslstrip also be able to strip out any header they choose to?

link

daeken 4632 days ago

Yes, this is the case, but only in the first request. As soon as an HTTP user agent gets such an HSTS header, it will only communicate via HTTPS until max-age expires.

link

davis_m 4632 days ago

Only if the browser supports HSTS. Many do not, especially mobile browsers.

link

elwell 4632 days ago

Useful post simply for bringing attention to HSTS; of which, I've never heard.

link

Sami_Lehtinen 4631 days ago

I think marking cookies secure only is more important than hsts, but if both lack, then it's quite bad thing.

Btw. There are many sites like this out there. So this isn't news actually. There are even more sites which lack https completely.

link