Last updated: 
3 months 3 weeks ago
Blog Manager
I'm the Information Security Manager at Janet and through this blog I'll be sharing some of my experiences, ideas and thoughts on information security topics.

Group administrators:

HSTS, captive portals and .x1

Monday, November 16, 2015 - 16:27

HTTP Strict Transport Security (HSTS) allows a site to specify that not only should all future references and requests to the site use HTTPS rather than HTTP, but that if any failures to encrypt traffic to or from the site occur, access to the site should be completely blocked by the browser. Even with manual intervention, the user is unable to click past the errors and continue to the site.

The recent releases of most browsers not only support HSTS, but will include a pre-loaded list of sites for where HSTS is assumed to be in place. The list includes sites commonly used as start pages such as https://www.google.com/.

I recently visited an event in a venue that provided free-wifi. It used the captive portal technology that you're all familiar with - in some cases the OS detects the captive portal and directs you to log in, on others the portal intercepts the first web page loaded and frequently causes SSL errors in the browser. However, what happend to me is that with my first page loaded being on the preloaded HSTS list, an error was raised that I couldn't click through and I was effectively blocked from using the wifi network.

Yet another problem that could be avoided through the use of 802.1x, and an example of how not all technologies are ready for an HTTPS-everywhere world.