RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
What is HTTP Strict Transport Security (HSTS)?
HSTS stands for HTTP Strict Transport Security. HSTS is a method used by websites to say that they should only be accessed using a secure connection, i.e., HTTPS. For websites that invoke an HSTS policy, the browser must refuse all HTTP connections and prevent users from accepting insecure SSL certificates. HSTS is currently supported by most major browsers (only some mobile browsers fail to use it).
The HSTS header is received in the first response from the web server and it is managed by the browser. Once it is received, the browser will always use HTTPS for this specific domain for a certain amount of seconds, known as max-age, which will be set in the header itself as highlighted below:
Detailed information on HSTS
HSTS headers have been enabled in RSA Authentication Manager for a very long time, beginning way back in AM 8.2 P6, though there were various patches through AM 8.3.
For example, initially all AM pages were enabled with HSTS, then a customer reported that AM Error pages, e.g. 404 not found, did not have HSTS. So RSA engineering enabled HSTS for error pages too.
Other customers reported that static help pages in the Self Service and Security Consoles did not have HSTS enabled, so RSA Engineering fixed that too.
Another problem (Scan finding) reported on the old logon redirect pages. Many versions ago, the Security Console and Operations consoles allowed HTTP instead of HTTPS, and AM simple redirected to HTTPS, e.g. if your pointed yuor browser to http://am82p.vcloud.local:7004/ it would return ERR_EMPTY_RESPONSE and rediect you to https://am82p.vcloud.local:7004. This flagged some HSTS as well as HTTP scan findings, so RSA removed that redirect feature.
The details below show how to demonstrate that HSTS is enabled on your AM server. However, no Scan should be flagging HSTS problems in any recent version of AM.
What is HSTS Preloading?
There is still a window where a user who has a fresh install, or who wipes out their local state, is vulnerable. Because of that, Chrome maintains an HSTS Preload List (and other browsers maintain lists based on the Chrome list). These domains will be configured with HSTS out of the box.
If, for example, the customer owns a site or has a Self-Service Console that they would like to see included in the preloaded HSTS list you can submit the request to HSTS Preload. The header should look like the example below:
Reasons for HSTS false positive results
- Valid Authentication Manager console URLs; e.g., https://<AM_server_FQDN>:7004/console-ims and https://<AM_server_FQDN>:7072/operations-console.
- Valid Authentication Manager internal ports that do not support HTTP; e.g., https://<AM_server_FQDN>:7002, which is used for replication.
- Invalid Authentication Manager URL with no page associated and which returns an Error such as HTTP 404, ; e.g., https://<AM_server_FQDN>:7004/.
- An Authentication Manager pop-up Help page; e.g., https://am83p.vcloud.local:7004/console-infocenter/en_US/?lang=en_US.
Checking for HSTS
https://am87-1.securidcs.net:7004/IMS-AA-IDP/InitialLogonDispatch.do
In Chrome, you can verify that HSTS is set by following the steps below:
- Login to your primary Authentication Manager Security Console (https://<AM_server_FQDN>:7004/console-ims).
- Press [F12] to open browser developer tools.
- Press [F5] to refresh your page.
- Go to the Network tab.
- Go to the Headers tab.
- In your browser, go to https://<AM_server_FQDN>:7004/console-ims/index.jsp. If you don't see https://<AM_server_FQDN>:7004/console-ims/index.jsp, look for https://<AM_server_FQDN>:7004/console-ims/TokenError.jsp in the Header list.
- Scroll down to Response Headers section. Here you will see the strict-transport-security setting.
If your scan finds that HSTS is missing, copy and paste the URL from the scan finding into your browser, to see if it is valid. Internal ports for services such as replication do not have web pages associated, therefore cannot be exploited by HTTP attacks. These pages will show either an invalid request message or an HTTP error, such as 400 or 404.
If your scanner finds a help page with a URL that contains /console-infocenter/ without HSTS, the response from RSA Engineering is that help pages are static and cannot be changed; therefore, they are not vulnerable to any HTTP exploit from which HSTS would protect.
The includeSubDomains field is used to force the HTTP traffic to any of the subdomains to get redirected to HTTPS instead.
How can we delete the HSTS settings?
- Navigate to chrome://net-internals/#hsts. This is Chrome’s UI for managing your browser’s local HSTS settings.
- First confirm the domain’s HSTS settings are recorded by Chrome by typing the hostname into the Query HSTS/PKP domain section at the bottom of the page.
- Click Query. If the query box returns Found with settings information below, the domain’s HSTS settings are saved in your browser. Note that this is a very sensitive search. Only enter the hostname, such as www.example.com or example.com without a protocol or path.
- Type the same hostname into the Delete domain security policies section and click Delete, Your browser will no longer force an HTTPS connection for that site!
