VMware Cloud Community
kimnana
Contributor
Contributor
‎08-02-2021 02:57 AM

Can I modify hsts in vsphere 6.5~6.7 version?

Can I modify hsts in vsphere 6.5~6.7 version?

Hello, I'm using vsphere 6.5 vCenter 6.5 version. But I'm in a big trouble right now.

Title : HTTP Strict-Transport-Security Not In Use

12 of 14 web application HTTPS servers do not use the HTTP Strict Transport Security (HSTS) server header, which leaves users vulnerable to attacks that trick users into accessing the web application HTTPS servers over an insecure connection Although HTTPS is in use throughout the site, an attacker in a position to intercept and modify network traffic could remove the encryption by carrying out an SSL/TLS stripping attack.

 

This would then allow the attacker to view the data sent to the

server as it would be transmitted unencrypted.

 

Further information on the SSL/TLS stripping attack can be found here:

https://blog.cloudflare.com/performingpreventing-ssl-stripping-a-plain-englishprimer/

 

 

Remediation :   Set Strict-Transport-Policy Header

The affected web application HTTPS servers should include the StrictTransport-Security header in all HTTPS responses.

The HSTS header instructs the browser to only connect to a site using

HTTPS. If the user attempts to visit the site without HTTPS or follows a nonHTTPS link to the site, then the browser will automatically connect using HTTPS instead.

 

An example HSTS header is provided below

Strict-Transport-Security: maxage=15768000

The max-age parameter specifies how long the browser should enforce the use of SSL/TLS in seconds; in this case it is for the equivalent of 182 days.

 

If appropriate, the 'includeSubDomains' directive can also be added. This will ensure that HTTPS will also be used for subdomains of the current site.

 

Strict-Transport-Security: maxage=15768000 ; includeSubDomains



I think you need to modify hsts to meet this, do vsphere 6.5 and vCenter 6.5 support this?
I'd really appreciate it if you could answer.

0 Kudos
3 Replies
MichaelKauffman
Contributor
Contributor
‎08-05-2021 12:59 AM

Where is big trouble?
Trouble would be being locked out by an HSTS setting and an expired certificate

Did someone run a random auditing tool and requests to fix all its findings that he doesn't understand?

Forum searching finds some hints on how to inject HTTP headers, if really wanted.

0 Kudos
kimnana
Contributor
Contributor
‎08-05-2021 04:57 PM

Oh I'm sorry 

I have to deal with another problem now. There are two problems.
1. How to disable weak cursors in vsphere ESXi6.5
2. vsphere ESXi6.5 renegotiation denial-of-service
We need to solve these two problems. Is there any document or guide that I can refer to to to solve the problem or solution?

0 Kudos
Heracles31
Contributor
Contributor
‎08-07-2021 04:07 PM

Hi,

HSTS is popular but also very high risk. Also, know that it will not protect you against the Man-In-The-Middle attack you described in your post. In such a case, the intruder can just push another certificate with the proper name and the client browser will accept it. It will then encrypt to the intruder who will decrypt, do whatever he wishes, sending it upstream to the real server or not, and send back to the client. Just go in your browser's list of trusted CA and see how many are there. Some are not as serious as others can be. If you trust 150 different CAs, then you accept 150 different certificates for the same name. If you accept wildcards, you accept even more.

HSTS is very high risk and major sites like Slashdot ended up blocked when they did not renewed their certificate in time. To protect yourself against TLS decryption, you can do client-side TLS certificate authentication. To defeat that, the intruder will need to compromise --YOUR-- CAs instead of getting a certificate from any public CA.

0 Kudos