Text only | Text with Images

OPNsense Forum

Archive => 19.1 Legacy Series => Topic started by: FrenchFries on June 30, 2019, 06:25:15 PM

Title: How to disable "Enable HTTP Strict Transport Security" ? [Fixed]
Post by: FrenchFries on June 30, 2019, 06:25:15 PM
Dear friends,

My OPNsense firewall is stuck because I enabled HSTS (HTTP Strict Transport Security) from the GUI without a valid certificate. This is a nice security feature, and I tried to modify Chromium and Firefox settings to bypass HSTS, without success. Therefore I no longer have access to the administration GUI of OPNsense.

I still have SSH access to the firewall. How can disable HSTS from the command line? Is there a way to reload the firewall on port 80? Any solution would suit me. Is there a way to use configd to reset this setting?

Kind regards,
French Fries
Title: Re: How to disable "Enable HTTP Strict Transport Security" ?
Post by: bartjsmit on June 30, 2019, 07:14:02 PM
You can use option 13 from the console to restore the configuration before you made the HSTS change.

Bart...
Title: Re: How to disable "Enable HTTP Strict Transport Security" ?
Post by: FrenchFries on June 30, 2019, 07:16:57 PM
I could connect to the GUI using epiphany-browser in Debian, which does not enforce strict mode.
HTTP strict transport security is not really a security feature, IMHO.

Then I disabled HSTS completely.
Why use something that is unecessary?
Title: Re: How to disable "Enable HTTP Strict Transport Security" ?
Post by: fabian on June 30, 2019, 09:01:22 PM
Quote from: FrenchFries on June 30, 2019, 07:16:57 PM
I could connect to the GUI using epiphany-browser in Debian, which does not enforce strict mode.
HTTP strict transport security is not really a security feature, IMHO.

It is one of the best security enhancements for websites out there. It is an effective protection against man in the middle attacks because it:

a) enforces the use of TLS for all future requests
b) prevents users from clicking away the certificate warning in case of a MTM attack

By using that, it is not intended that the page is reverted to HTTP and it is the job of the admin to ensure that the web server always has a valid certificate.

You can read more about it here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security

Quote from: FrenchFries on June 30, 2019, 07:16:57 PM
Then I disabled HSTS completely.
Why use something that is unecessary?

I will let that be your opinion and not a fact.
Title: Re: How to disable "Enable HTTP Strict Transport Security" ?
Post by: FrenchFries on June 30, 2019, 09:26:36 PM
It is a fact that I could bypass this "security feature" using another web browser in two minutes. ;)
Therefore, it cannot qualify as "one of the best security enhancements for websites out there."
It is crap.

The only working solution is X509 client certificate authentication with SSL downgrade protection.
Title: Re: How to disable "Enable HTTP Strict Transport Security" ? [Fixed]
Post by: franco on July 01, 2019, 01:01:59 PM
> It is crap.

It's a pain if you do manage to lock yourself out, but it's no crap by any modern standard.


Cheers,
Franco
Text only | Text with Images