Pre-loading HSTS for sibling domains through this one weird trick

The vast majority of websites now support encrypted connections over HTTPS. This prevents eavesdroppers from monitoring or tampering with people’s web activity and is great for privacy. However, HTTPS is optional, and all browsers still support plain unsecured HTTP for when a website doesn’t support encryption. HTTP is commonly the default, and even when it’s not, there’s often no warning when access to a site falls back to using HTTP.

The optional nature of HTTPS is its weakness and can be exploited through tools, like sslstrip, which force browsers to fall back to HTTP, allowing the attacker to eavesdrop or tamper with the connection. In response to this weakness, HTTP Strict Transport Security (HSTS) was created. HSTS allows a website to tell the browser that only HTTPS should be used in future. As long as someone visits an HSTS-enabled website one time over a trustworthy Internet connection, their browser will refuse any attempt to fall back to HTTP. If that person then uses a malicious Internet connection, the worst that can happen is access to that website will be blocked; tampering and eavesdropping are prevented.

Still, someone needs to visit the website once before an HSTS setting is recorded, leaving a window of opportunity for an attacker. The sooner a website can get its HSTS setting recorded, the better. One aspect of HSTS that helps is that a website can indicate that not only should it be HSTS enabled, but that all subdomains are too. For example, planet.wikimedia.org can say that the subdomain en.planet.wikimedia.org is HSTS enabled. However, planet.wikimedia.org can’t say that commons.wikimedia.org is HSTS enabled because they are sibling domains. As a result, someone would need to visit both commons.wikimedia.org and planet.wikimedia.org before both websites would be protected.

What if HSTS could be applied to sibling domains and not just subdomains? That would allow one domain to protect accesses to another. The HSTS specification explicitly excludes this feature, for a good reason: discovering whether two sibling domains are run by the same organisation is fraught with difficulty. However, it turns out there’s a way to “trick” browsers into pre-loading HSTS status for sibling domains.

google chrome hsts warning Continue reading Pre-loading HSTS for sibling domains through this one weird trick

Diversity is our strength

On Friday evening, US President Donald Trump signed an executive order suspending visas to citizens of seven countries for at least 90 days. Among the many other implications of this ban — none of which we want to minimise with our focus on the implications for academics — this now implies that (1) students who are citizens (even dual citizens) of these countries are now unable to study in the US or attend conferences there, and (2) academics who are citizens of these countries and who legally work and live in the US are now unable to leave (to, say, attend conferences or visit another academic institution), as they would not be allowed back in.

We receive many inquiries each year from strong applicants from these seven countries, and according to a statement issued by many US-based academics, more than 3,000 Iranian students received PhDs from American universities in the past 3 years. Across our nine faculty members, we currently have funding available for numerous PhD students and postdoctoral researchers. If any student is stranded outside of the US, we of course hope that they are able to make it back quickly, but have funding for internships that would allow them to work from here in the interim. In organising conferences, we and our wider UCL colleagues are doing all we can to organise them in places without such bans in place, and where that is not possible to enable remote participation.

Most of all, as a group that prides itself on the quality and openness of its research and on its international reach, we would like to re-affirm our commitment to working with the best possible students and academics, regardless of their religion or their country of origin (or indeed anything aside from their scientific contributions). To quote a statement from the International Association of Cryptologic Research (IACR), “the open exchange of ideas requires freedom of movement.” To address the full effects of this ban we of course need far more international cooperation, but we hope that even our small actions can help mitigate the damage that has already been done to our friends and colleagues, both within and outside of the US, and that promises to continue to be done in the future.

Nicolas Courtois
Emiliano de Cristofaro
George Danezis
Jens Groth
Sarah Meiklejohn
Steven Murdoch
David Pym
Angela Sasse
Gianluca Stringhini

Why Bentham’s Gaze?

Why is this blog called “Bentham’s Gaze”? Jeremy Bentham (1748–1832) was an philosopher, jurist and social reformer. Although he took no direct role in the creation of UCL (despite the myth), Bentham can be considered its spiritual founder, with his ideas being embodied in the institution. Notably, UCL went a long way to fulfilling Bentham’s desire of widening access to education, through it being the first English university to admit students regardless of class, race or religion, and to welcome women on equal terms with men.

Bentham’s Gaze refers not just to his vision of education but also to the Panopticon – a design proposed for a prison where all inmates in the circular building are potentially under continual observation from a central inspection house. Importantly, inmates would not be able to tell whether they were actively being observed and so the hope was that good behaviour would be encouraged without the high cost of actually monitoring everyone. Although no prison was created exactly to Bentham’s design, some (e.g. Presidio Modelo in Cuba) have notable similarities and pervasive CCTV can be seen as a modern instantiation of the same principles.

Finally, the more corporeal aspect to the blog name is that UCL hosts Bentham’s Auto-Icon – a case containing his preserved skeleton with wax head, seated in a chair, and dressed in his own clothes. The construction of the Auto-Icon was specified in Bentham’s will and since 1850 has been cared for by UCL. His head was also preserved but judged unsuitable for public display and so is stored by UCL Museums. Many of the staff and students at UCL will walk in view of Bentham while crossing the campus.

You too can now enjoy Bentham’s Gaze thanks to the UCL PanoptiCam – a webcam attached to the top of the Auto-Icon, as you can see below from my photo of it (and its photo of me). Footage from the camera is both on Twitter and YouTube, with highlights and discussion on @Panopticam.

UCL Panopticam

View from PanoptiCam (2015-02-19)