Featured post

Strict Transport Security Edge Cases (HSTS)

Some notes on edge cases to HSTS I have seen in the wild, and appropriate mitigations.

Not Invoking Parent Domain Frequently Enough

Problem: If your website is on www.example.com and the search engines indexes it there. Even if you have HSTS in the HTTP headers on https://example.com/ the user may never visit that domain, and never see the dynamic strict-transport-security header. This may be a problem if you have cookies scoped to that domain, especially if they lack the secure flag.


Serve a commonly retrieved item such as Logo from the parent domain https://example.com/logo.png

Included the “preload” attribute on the HSTS header on the parent domain.

Ensure all cookies have the secure flag.

Redirecting Around Parent Domain

Problem: You have a redirect at http://example.com to https://www.example.com

This is a special case of “Not Invoking Parent Domain Frequently Enough”. Where you type example.com most browsers default to HTTP, but HSTS headers need to be set over HTTPS.


Redirect HTTP to HTTPS before you redirect to “www”. http://example.com/ to https://example.com/ to https://www.example.com/

Serve a logo or other item in the parent domain.

Include the “preload” attribute on HSTS headers on the parent page.

Ensure all cookies have the secure flag.

Subdomains Can Remove the Include Subdomain Option

Problem: Your parent domain “https://example.com” includes the HSTS IncludeSubDomains, but your subdomain “https://status.example.com” doesn’t include IncludeSubDomains. Google Chrome gives precedence to the child domain so a MITM can create “http://nonsuch.status.example.com/” and any cookies scoped to “.example.com” without the secure flag will be delivered in the clear. Note the behaviour may vary depending which websites have been visited and when, and which browser is used.

See also https://bugs.chromium.org/p/chromium/issues/detail?id=821811


Ensure all cookies have the secure flag set.

Always “includeSubDomains” when using HSTS.

Partial fixes or other techniques to consider include:

Domain owners consider DNSSEC, domain users consider DNS over HTTPS, to defeat the Man in the Middle DNS modification.

Avoid situations where you delegate subdomains to different organisations or managerial regimes where you can’t ensure consistent application of controls.

Use “host” cookies where appropriate but accept this will fail in some browsers.

FORD IDS stalled “Waiting For Windows Network Services”

Helping a friend install FORD IDS software v124 on ancient laptop, it displayed “Waiting for Windows Network Services” (saying it could take 20 minutes).
If you hit “abort” it lists the services it is waiting for.
In this case the “DNS Client” service, and the “TDSclient” service were disabled in Windows.
All you need to do is start these services AND set then to start automatically.
Most versions of Windows you can just click the “start” or other button and type “services” in the search and it will offer the appropriate admin box if you have permissions.
A more detailed explanation of how to update the DNS Client service can be found online, the other service(s) can be done the same way.
I repeat “start” the service, and set it to “start automatically”. Otherwise it won’t work after the next restart of Windows and you’ll have to do it every time.
Starting services on Windows does mean more software is running and vulnerable to being hacked, so you might need help from IT if your devices are locked down. In this case it was an laptop which is usually used for vehicle diagnostics and other local hardware troubleshooting, so probably not a big increase in risk.
This post is “obvious” to anyone use to Windows, but a quick search suggests a few car mechanics have struggled here. Seems reasonable, I struggle with basic car mechanics at times, most complex thing I’ve done on my own is replace a Windscreen wiper motor, no reason they should need to know Windows. Unclear to me why the Ford software expects DNS Client service to be running, I’ve never seen any software care how DNS works before, only that it does work.