-
Notifications
You must be signed in to change notification settings - Fork 0
/
index.html
338 lines (321 loc) · 20.5 KB
/
index.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
<!doctype html>
<html>
<head>
<title>HSTS Study</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.1.0/css/bootstrap.min.css" integrity="sha384-9gVQ4dYFwwWSjIDZnLEWnxCjeSWFphJiwGPXr1jddIhOegiu1FwO5qRGvFXOdJZ4" crossorigin="anonymous" />
<link rel="stylesheet" href="site.css" integrity="sha384-8cMQiQ2Q0FqslPAf0KKt9rOWS3tyz1QH4IEmq7QKisA4ZwB2qLzx9RHMPJbcZoB2" />
</head>
<body>
<nav id="navbar-hsts" class="navbar navbar-expand-lg navbar-dark bg-dark fixed-top">
<div class="container">
<a class="navbar-brand" href="/">HSTS Study</a>
<button class="navbar-toggler" type="button" data-toggle="collapse" data-target="#navbarContent" aria-controls="navbarContent" aria-expanded="false" aria-label="Toggle navigation">
<span class="navbar-toggler-icon"></span>
</button>
<div class="collapse navbar-collapse" id="navbarContent">
<ul class="navbar-nav mr-auto">
<li class="nav-item">
<a class="nav-link" href="#about">About</a>
</li>
<li class="nav-item">
<a class="nav-link" href="#adoption">Adoption</a>
</li>
<li class="nav-item">
<a class="nav-link" href="#configuration">Configuration</a>
</li>
<li class="nav-item">
<a class="nav-link" href="#anomalies">Anomalies</a>
</li>
</ul>
</div>
</div>
</nav>
<div style="height: 100vh; padding-top: 56px;">
<div class="scroll-content" data-spy="scroll" data-target="#navbar-hsts" data-offset="56">
<main role="main" class="container">
<h1 id="about">1. About this Study</h1>
<p>
A browser respecting the <code>Strict-Transport-Security</code> header (defined in <a href="https://tools.ietf.org/html/rfc6797">RFC 6797</a>) will access the website sending this header only via a secure connection for the following requests. This prevents e.g. session cookies to be leaked by being sent through insecure connections.
</p>
<p>
The data shown in the following charts is based on weekly scanns of more than 200M domains. All IP addresses of a given domain are scanned individually. While computing the here shown data these IP scanns are merged based on the domain (FQDN), so that a domain with multiple IP addresses only appears once.
</p>
<p>
All of the charts can be viewed in absolute values as amount of domains, or in relative values as percentage of domains with sts enabled (or percentage of scanned domains in case of the adoption chart). Additionally the data set can be selected with "IPv4" showing only data for domains that were scanned via IPv4, "IPv6" respectively for domains scanned via IPv6 and "Merged" showing data for both of the previous scans merged by the domain.
</p>
<p>
This study is part of the bachelor thesis "Long Term Analysis of the HTTP Strict Transport Security Header".
</p>
<h1 id="adoption">2. Adoption</h1>
<p>
This chart shows how many domains include a valid HSTS header in their HTTPS response, as well as domains that include their subdomains in the strict transport security policy and domains that have preloading enabled. For further details about these configuration options, see section 3.
</p>
<div id="chart-adoption"></div>
<div class="btn-toolbar justify-content-between" role="toolbar" aria-label="Chart options">
<div class="nav btn-group btn-group-toggle" id="adoption-tabs" data-toggle="buttons" role="tablist">
<label class="nav-link btn btn-secondary active" id="adoption-scope-absolute-tab" data-toggle="tab" href="#adoption-absolute" role="tab" aria-controls="adoption-absolute" aria-selected="true">
<input type="radio" name="adoption-scope" id="adoption-scope-absolute-radio" autocomplete="off" checked> Absolute
</label>
<label class="nav-link btn btn-secondary" id="adoption-scope-relative-tab" data-toggle="tab" href="#adoption-relative" role="tab" aria-controls="adoption-relative" aria-selected="false">
<input type="radio" name="adoption-scope" id="adoption-scope-relative-radio" autocomplete="off"> Relative
</label>
</div>
<div class="btn-group btn-group-toggle data-set-toggle" data-chart="adoption" data-toggle="buttons">
<label class="btn btn-secondary">
<input type="radio" name="adoption-set" id="adoption-set-ipv4" data-set="ipv4" autocomplete="off"> IPv4
</label>
<label class="btn btn-secondary">
<input type="radio" name="adoption-set" id="adoption-set-ipv6" data-set="ipv6" autocomplete="off"> IPv6
</label>
<label class="btn btn-secondary active">
<input type="radio" name="adoption-set" id="adoption-set-merged" data-set="merged" autocomplete="off" checked> Merged
</label>
</div>
</div>
<div class="tab-content" id="adoption-tab-content">
<div class="tab-pane fade show active" id="adoption-absolute" role="tabpanel" aria-labelledby="adoption-scope-absolute-tab" style="width: 100%;height: 400px;"></div>
<div class="tab-pane fade" id="adoption-relative" role="tabpanel" aria-labelledby="adoption-scope-relative-tab" style="width: 100%;height: 400px;"></div>
</div>
<h1 id="configuration">3. Configuration</h1>
<p>
The HSTS header can be configured with the three directives <code>max-age</code>, <code>includeSubDomains</code> and <code>preload</code> (with the later one not being defined in the official RFC, but being used by most browsers to generate their preloading lists).
</p>
<h2 id="max-age">3.1 max-age</h2>
<p>
The <code>max-age</code> directive is required for the header to be valid and can have any positive integer value. This value specifies the duration in seconds for which the strict transport security policy should be active. The spread of the value used for this directive can be seen in the following chart.
</p>
<div id="chart-max-age"></div>
<div class="btn-toolbar justify-content-between" role="toolbar" aria-label="Chart options">
<div class="nav btn-group btn-group-toggle" id="max-age-tabs" data-toggle="buttons" role="tablist">
<label class="nav-link btn btn-secondary active" id="max-age-scope-absolute-tab" data-toggle="tab" href="#max-age-absolute" role="tab" aria-controls="max-age-absolute" aria-selected="true">
<input type="radio" name="max-age-scope" id="max-age-scope-absolute-radio" autocomplete="off" checked> Absolute
</label>
<label class="nav-link btn btn-secondary" id="max-age-scope-relative-tab" data-toggle="tab" href="#max-age-relative" role="tab" aria-controls="max-age-relative" aria-selected="false">
<input type="radio" name="max-age-scope" id="max-age-scope-relative-radio" autocomplete="off"> Relative
</label>
</div>
<div class="btn-group btn-group-toggle data-set-toggle" data-chart="max-age" data-toggle="buttons">
<label class="btn btn-secondary">
<input type="radio" name="max-age-set" id="max-age-set-ipv4" data-set="ipv4" autocomplete="off"> IPv4
</label>
<label class="btn btn-secondary">
<input type="radio" name="max-age-set" id="max-age-set-ipv6" data-set="ipv6" autocomplete="off"> IPv6
</label>
<label class="btn btn-secondary active">
<input type="radio" name="max-age-set" id="max-age-set-merged" data-set="merged" autocomplete="off" checked> Merged
</label>
</div>
</div>
<div class="tab-content" id="max-age-tab-content">
<div class="tab-pane fade show active" id="max-age-absolute" role="tabpanel" aria-labelledby="max-age-scope-absolute-tab" style="width: 100%;height: 400px;"></div>
<div class="tab-pane fade" id="max-age-relative" role="tabpanel" aria-labelledby="max-age-scope-relative-tab" style="width: 100%;height: 400px;"></div>
</div>
<h4>Legend details</h4>
<p>
The following intervals show exactly how the max-age values map to the categories shown in the chart.
</p>
<table class="table table-sm table-hover">
<thead>
<tr>
<th>Name</th>
<th>Interval</th>
</tr>
</thead>
<tbody>
<tr>
<td>>1 year</td>
<td><pre>]370d; infinity[</pre></td>
</tr>
<tr>
<td>1 year</td>
<td><pre>]360d; 370d]</pre></td>
</tr>
<tr>
<td><1 year</td>
<td><pre>]190d; 360d]</pre></td>
</tr>
<tr>
<td>6 months</td>
<td><pre>]180d; 190d]</pre></td>
</tr>
<tr>
<td><6 months</td>
<td><pre>]7d ; 180d]</pre></td>
</tr>
<tr>
<td>≤1 week</td>
<td><pre>]1d ; 7d]</pre></td>
</tr>
<tr>
<td>≤1 day</td>
<td><pre>]1h ; 1d]</pre></td>
</tr>
<tr>
<td>test</td>
<td><pre>]0s ; 1h]</pre></td>
</tr>
<tr>
<td>off</td>
<td><pre>[0s ; 0s]</pre></td>
</tr>
</tbody>
</table>
<h2>3.2 includeSubDomains and preload</h2>
<p>
The other two directives do not have any values, but can either be set or not. The <code>includeSubDomains</code> directive extends the strict transport security policy to any subdomains of the domain that the HSTS header was sent initially. By setting <code>preload</code> directive the owner of a website allows its domain to be included in preload lists that come with most browsers.
</p>
<div id="chart-configuration"></div>
<div class="btn-toolbar justify-content-between" role="toolbar" aria-label="Chart options">
<div class="nav btn-group btn-group-toggle" id="configuration-tabs" data-toggle="buttons" role="tablist">
<label class="nav-link btn btn-secondary active" id="configuration-scope-absolute-tab" data-toggle="tab" href="#configuration-absolute" role="tab" aria-controls="configuration-absolute" aria-selected="true">
<input type="radio" name="configuration-scope" id="configuration-scope-absolute-radio" autocomplete="off" checked> Absolute
</label>
<label class="nav-link btn btn-secondary" id="configuration-scope-relative-tab" data-toggle="tab" href="#configuration-relative" role="tab" aria-controls="configuration-relative" aria-selected="false">
<input type="radio" name="configuration-scope" id="configuration-scope-relative-radio" autocomplete="off"> Relative
</label>
</div>
<div class="btn-group btn-group-toggle data-set-toggle" data-chart="configuration" data-toggle="buttons">
<label class="btn btn-secondary">
<input type="radio" name="configuration-set" id="configuration-set-ipv4" data-set="ipv4" autocomplete="off"> IPv4
</label>
<label class="btn btn-secondary">
<input type="radio" name="configuration-set" id="configuration-set-ipv6" data-set="ipv6" autocomplete="off"> IPv6
</label>
<label class="btn btn-secondary active">
<input type="radio" name="configuration-set" id="configuration-set-merged" data-set="merged" autocomplete="off" checked> Merged
</label>
</div>
</div>
<div class="tab-content" id="configuration-tab-content">
<div class="tab-pane fade show active" id="configuration-absolute" role="tabpanel" aria-labelledby="configuration-scope-absolute-tab" style="width: 100%;height: 400px;"></div>
<div class="tab-pane fade" id="configuration-relative" role="tabpanel" aria-labelledby="configuration-scope-relative-tab" style="width: 100%;height: 400px;"></div>
</div>
<h1 id="anomalies">4. Anomalies</h1>
<p>
This section displays anomalies that were found while analyzing the scan data.
</p>
<h2>4.1 Inconsistencies</h2>
<p>
Here shown are inconsistencies in the configuration and existence of the HSTS header between scans of domains that are served via multiple IP addresses.
</p>
<p>
The following chart shows inconsistencies across multiple IP address of the same version for a single domain.
An inconsistency in the configuration of the HSTS header requires any of the directives to have differing values, or being set when the website is served on one IP address, but not being set when the website is served on another IP address.
A domain is inconsistent in the existence of the HSTS header if it is being sent on one IP, but not on another IP of the same domain.
The total inconsistencies statistic shows the domains with any of the above inconsistencies.
</p>
<div id="chart-inconsistencies"></div>
<div class="btn-toolbar justify-content-between" role="toolbar" aria-label="Chart options">
<div class="nav btn-group btn-group-toggle" id="inconsistencies-tabs" data-toggle="buttons" role="tablist">
<label class="nav-link btn btn-secondary active" id="inconsistencies-scope-absolute-tab" data-toggle="tab" href="#inconsistencies-absolute" role="tab" aria-controls="inconsistencies-absolute" aria-selected="true">
<input type="radio" name="inconsistencies-scope" id="inconsistencies-scope-absolute-radio" autocomplete="off" checked> Absolute
</label>
<label class="nav-link btn btn-secondary" id="inconsistencies-scope-relative-tab" data-toggle="tab" href="#inconsistencies-relative" role="tab" aria-controls="inconsistencies-relative" aria-selected="false">
<input type="radio" name="inconsistencies-scope" id="inconsistencies-scope-relative-radio" autocomplete="off"> Relative
</label>
</div>
<div class="btn-group btn-group-toggle data-set-toggle" data-chart="inconsistencies" data-toggle="buttons">
<label class="btn btn-secondary active">
<input type="radio" name="inconsistencies-set" id="inconsistencies-set-ipv4" data-set="ipv4" autocomplete="off" checked> IPv4
</label>
<label class="btn btn-secondary">
<input type="radio" name="inconsistencies-set" id="inconsistencies-set-ipv6" data-set="ipv6" autocomplete="off"> IPv6
</label>
</div>
</div>
<div class="tab-content" id="inconsistencies-tab-content">
<div class="tab-pane fade show active" id="inconsistencies-absolute" role="tabpanel" aria-labelledby="inconsistencies-scope-absolute-tab" style="width: 100%;height: 400px;"></div>
<div class="tab-pane fade" id="inconsistencies-relative" role="tabpanel" aria-labelledby="inconsistencies-scope-relative-tab" style="width: 100%;height: 400px;"></div>
</div>
<p>
Inconsistencies between different IP versions are found by defining a set of quad tuples for each IP version. Every quad tuple contains whether a valid HSTS header was set, the value of the <code>max-age</code> directive and whether the <code>includeSubDomains</code> and <code>preload</code> directives were set. If such a quad tuple is found in the set for one IP version, but not for the other, the domain being served on those IP addresses is considered inconsistent between IP versions.
</p>
<div id="chart-inconsistency-ipv4-ipv6"></div>
<div class="btn-toolbar justify-content-between" role="toolbar" aria-label="Chart options">
<div class="nav btn-group btn-group-toggle" id="inconsistency-v4v6-tabs" data-toggle="buttons" role="tablist">
<label class="nav-link btn btn-secondary active" id="inconsistency-v4v6-scope-absolute-tab" data-toggle="tab" href="#inconsistency-v4v6-absolute" role="tab" aria-controls="inconsistency-v4v6-absolute" aria-selected="true">
<input type="radio" name="inconsistency-v4v6-scope" id="inconsistency-v4v6-scope-absolute-radio" autocomplete="off" checked> Absolute
</label>
<label class="nav-link btn btn-secondary" id="inconsistency-v4v6-scope-relative-tab" data-toggle="tab" href="#inconsistency-v4v6-relative" role="tab" aria-controls="inconsistency-v4v6-relative" aria-selected="false">
<input type="radio" name="inconsistency-v4v6-scope" id="inconsistency-v4v6-scope-relative-radio" autocomplete="off"> Relative
</label>
</div>
</div>
<div class="tab-content" id="inconsistency-v4v6-tab-content">
<div class="tab-pane fade show active" id="inconsistency-v4v6-absolute" role="tabpanel" aria-labelledby="inconsistency-v4v6-scope-absolute-tab" style="width: 100%;height: 400px;"></div>
<div class="tab-pane fade" id="inconsistency-v4v6-relative" role="tabpanel" aria-labelledby="inconsistency-v4v6-scope-relative-tab" style="width: 100%;height: 400px;"></div>
</div>
<h2>4.2 Parse Errors</h2>
<p>
While parsing the HSTS header parse errors can occur in case the header does not apply to <a href="https://tools.ietf.org/html/rfc6797">RFC 6797</a>. However a header that causes a parse error might still be valid if it is syntactically correct and all of the required directives are given.
</p>
<div id="chart-parse-errors"></div>
<div class="btn-toolbar justify-content-between" role="toolbar" aria-label="Chart options">
<div class="nav btn-group btn-group-toggle" id="parse-errors-tabs" data-toggle="buttons" role="tablist">
<label class="nav-link btn btn-secondary active" id="parse-errors-scope-absolute-tab" data-toggle="tab" href="#parse-errors-absolute" role="tab" aria-controls="parse-errors-absolute" aria-selected="true">
<input type="radio" name="parse-errors-scope" id="parse-errors-scope-absolute-radio" autocomplete="off" checked> Absolute
</label>
<label class="nav-link btn btn-secondary" id="parse-errors-scope-relative-tab" data-toggle="tab" href="#parse-errors-relative" role="tab" aria-controls="parse-errors-relative" aria-selected="false">
<input type="radio" name="parse-errors-scope" id="parse-errors-scope-relative-radio" autocomplete="off"> Relative
</label>
</div>
<div class="btn-group btn-group-toggle data-set-toggle" data-chart="parse-errors" data-toggle="buttons">
<label class="btn btn-secondary">
<input type="radio" name="parse-errors-set" id="parse-errors-set-ipv4" data-set="ipv4" autocomplete="off"> IPv4
</label>
<label class="btn btn-secondary">
<input type="radio" name="parse-errors-set" id="parse-errors-set-ipv6" data-set="ipv6" autocomplete="off"> IPv6
</label>
<label class="btn btn-secondary active">
<input type="radio" name="parse-errors-set" id="parse-errors-set-merged" data-set="merged" autocomplete="off" checked> Merged
</label>
</div>
</div>
<div class="tab-content" id="parse-errors-tab-content">
<div class="tab-pane fade show active" id="parse-errors-absolute" role="tabpanel" aria-labelledby="parse-errors-scope-absolute-tab" style="width: 100%;height: 400px;"></div>
<div class="tab-pane fade" id="parse-errors-relative" role="tabpanel" aria-labelledby="parse-errors-scope-relative-tab" style="width: 100%;height: 400px;"></div>
</div>
<h4>Top 10 parse errors</h4>
<p>
These are the ten most common parse errors that occurred in the most recent scann.
</p>
<div class="btn-toolbar justify-content-between mb-4" role="toolbar" aria-label="Chart options">
<div></div>
<div class="btn-group btn-group-toggle data-set-table-toggle" data-table="parse-errors-most-common" data-toggle="buttons">
<label class="btn btn-secondary active">
<input type="radio" name="parse-errors-set" id="parse-errors-set-ipv4" data-set="ipv4" autocomplete="off" checked=""> IPv4
</label>
<label class="btn btn-secondary">
<input type="radio" name="parse-errors-set" id="parse-errors-set-ipv6" data-set="ipv6" autocomplete="off"> IPv6
</label>
</div>
</div>
<table class="table table-hover" id="parse-errors-most-common">
<thead>
<tr>
<th scope="col">#</th>
<th scope="col">Occurences</th>
<th scope="col">Error</th>
</tr>
</thead>
<tbody>
</tbody>
</table>
</main>
<footer class="footer">
<div class="container">
</div>
</footer>
</div>
</div>
<script src="https://code.jquery.com/jquery-3.3.1.min.js" integrity="sha256-FgpCb/KJQlLNfOu91ta32o/NMZxltwRo8QtmkMRdAu8=" crossorigin="anonymous"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.14.0/umd/popper.min.js" integrity="sha384-cs/chFZiN24E4KMATLdqdvsezGxaGsi4hLGOzlXwp5UZB1LY//20VyM2taTB4QvJ" crossorigin="anonymous"></script>
<script src="https://stackpath.bootstrapcdn.com/bootstrap/4.1.0/js/bootstrap.min.js" integrity="sha384-uefMccjFJAIv6A+rW+L4AHf99KvxDjWSu1z9VI8SKNVmz4sk7buKt/6v9KI65qnm" crossorigin="anonymous"></script>
<script src="https://code.highcharts.com/highcharts.src.js"></script>
<script src="https://code.highcharts.com/modules/exporting.js"></script>
<script src="https://code.highcharts.com/modules/offline-exporting.js"></script>
<script src="chart.js" integrity="sha384-hdvHoRFaszMmxbzDE5Ep+WT7m+UGPeSWe0eT3IX1EHgenGM33UxWN8sky/VkiqCJ"></script>
</body>
</html>