Re: attacking hsts through ntp

[Kurt Seifried <kseifried () redhat com>]

On 16/10/14 02:38 PM, Hanno Böck wrote:
> Am Thu, 16 Oct 2014 14:34:25 -0600
> schrieb Kurt Seifried <kseifried () redhat com>:
>
> > I did not know that. One concern I have is also HSTS has no tools to
> > manage them in browsers, at least when I last checked, has that
> > changed? There is some room for DoS due to this on the client side.
>
> chrome://net-internals/#hsts
>
> Not pretty or easy to use, but helps debugging stuff (especially with
> HPKP which is quite picky when you do it wrong). I don't know about
> Firefox or others.

There is still no way to get a list of domains is there, due to the one
way hash chrome uses to store them? I had previously created a script
that created a webpage with links to a thousand or whatever subdomains
(e.g. 1x1 pixels) with hsts headers, and a reload to a new url, so
basically:

www.example.com loads page with 1000 images at [sha256 random
domain].images.example.com and then redirects to www2.example.com and so
on, it eats up a few tens of kilobytes per second, can happily sit in
the background. because chrome uses that oen way hash I can't find a way
to delete say all the hsts for *.exmaple.org.

Not sure if this deserves a CVE, it's a slow dos, but there's no way to
deal with it short of wiping the hsts data file entirely. It would be
nice to have some better tools to manage hsts like we do for cookies,
but the use of the one way hash (which saves on space) trades one dos
(super long domain names) for another (can't link hsts records to
domains easily).

-- 
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

Attachment: signature.asc
Description: OpenPGP digital signature