Author Topic: How to disable "Enable HTTP Strict Transport Security" ? [Fixed] (Read 7098 times)

FrenchFries · « **on:** June 30, 2019, 06:25:15 pm »

Dear friends,

My OPNsense firewall is stuck because I enabled HSTS (HTTP Strict Transport Security) from the GUI without a valid certificate. This is a nice security feature, and I tried to modify Chromium and Firefox settings to bypass HSTS, without success. Therefore I no longer have access to the administration GUI of OPNsense.

I still have SSH access to the firewall. How can disable HSTS from the command line? Is there a way to reload the firewall on port 80? Any solution would suit me. Is there a way to use configd to reset this setting?

Kind regards,
French Fries

bartjsmit · « **Reply #1 on:** June 30, 2019, 07:14:02 pm »

You can use option 13 from the console to restore the configuration before you made the HSTS change.

Bart...

FrenchFries · « **Reply #2 on:** June 30, 2019, 07:16:57 pm »

I could connect to the GUI using epiphany-browser in Debian, which does not enforce strict mode.
HTTP strict transport security is not really a security feature, IMHO.

Then I disabled HSTS completely.
Why use something that is unecessary?

fabian · « **Reply #3 on:** June 30, 2019, 09:01:22 pm »

Quote from: FrenchFries on June 30, 2019, 07:16:57 pm

I could connect to the GUI using epiphany-browser in Debian, which does not enforce strict mode.
HTTP strict transport security is not really a security feature, IMHO.

It is one of the best security enhancements for websites out there. It is an effective protection against man in the middle attacks because it:

a) enforces the use of TLS for all future requests
b) prevents users from clicking away the certificate warning in case of a MTM attack

By using that, it is not intended that the page is reverted to HTTP and it is the job of the admin to ensure that the web server always has a valid certificate.

You can read more about it here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security

Quote from: FrenchFries on June 30, 2019, 07:16:57 pm

Then I disabled HSTS completely.
Why use something that is unecessary?

I will let that be your opinion and not a fact.

FrenchFries · « **Reply #4 on:** June 30, 2019, 09:26:36 pm »

It is a fact that I could bypass this "security feature" using another web browser in two minutes.

Therefore, it cannot qualify as "one of the best security enhancements for websites out there."
It is crap.

The only working solution is X509 client certificate authentication with SSL downgrade protection.

franco · « **Reply #5 on:** July 01, 2019, 01:01:59 pm »

> It is crap.

It's a pain if you do manage to lock yourself out, but it's no crap by any modern standard.

Cheers,
Franco

Author Topic: How to disable "Enable HTTP Strict Transport Security" ? [Fixed] (Read 7098 times)

FrenchFries

How to disable "Enable HTTP Strict Transport Security" ? [Fixed]

bartjsmit

Re: How to disable "Enable HTTP Strict Transport Security" ?

FrenchFries

Re: How to disable "Enable HTTP Strict Transport Security" ?

fabian

Re: How to disable "Enable HTTP Strict Transport Security" ?

FrenchFries

Re: How to disable "Enable HTTP Strict Transport Security" ?

franco

Re: How to disable "Enable HTTP Strict Transport Security" ? [Fixed]