Mozilla Firefox only stores up to 1024 HSTS entries. When the limit is reached, Firefox discards entries based on their age and recent visits to the domain in question.
28c30f393cb48239ab9dc658c1aff56b2651862c151910748a85b5596fc5ba67# VULNERABILITY
Mozilla Firefox only stores up to 1024 HSTS entries.
When the limit is reached, Firefox discards entries based on their age
and recent visits to the domain in question.
# IMPACT
The HSTS header ensures that once a page has been visited, the browser
will attempt to connect to it using HTTPS.
The limit means that Firefox effectively does not store any further HSTS
headers, as new ones permanently override each other.
Sites without HSTS protection are vulnerable to machine-in-the-middle
attacks, especially downgrade attacks such as SSL Stripping.
# MORE
To find out if you are affected, check the number of HSTS entries:
* Linux: `wc -l ~/.mozilla/firefox/{profile}/SiteSecurityServiceState.txt`
* Windows: `find /c /v " "
".\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}\SiteSecurityServiceState.txt"`
This behavior was first reported by Sheila Ayelen Berta and Sergio De
Los Santos at Black Hat Europe 2017.
I filed a bug report in February 2023 that is currently being worked on.
# REFERENCES
* Bug report: https://bugzilla.mozilla.org/show_bug.cgi?id=1818984
* Mastodon thread: https://infosec.exchange/@kpwn/110010433703922665
* Blog post:
https://kpwn.de/2023/03/http-strict-transport-security/#1-the-limited-number-of-hsts-entries
* Black Hat Europe 2017: Breaking Out HSTS (and HPKP) On Firefox,
IE/Edge and (Possibly) Chrome
* Slides:
https://www.blackhat.com/docs/eu-17/materials/eu-17-Berta-Breaking-Out-HSTS-And-HPKP-On-Firefox-IE-Edge-And-Possibly-Chrome.pdf
* Talk: https://www.youtube.com/watch?v=dPnU9_pXJ5k
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed