Emerging vulnerabilities underscore the argument for creating a safer Internet for everyone including domain owners by using HTTPS Everywhere, as called for by Google in 2014. The HTTPoxy vulnerability sends us yet another signal to use HTTPS Everywhere, including internal sites.
Although secure servers are not susceptible to the HTTPoxy vulnerability, administrators should check their unprotected servers. The vulnerability is for server-side web applications, so if you’re not deploying code, you don’t need to worry.
HTTPoxy causes server vulnerability under the following conditions:
- Code running under a CGI-like context, where HTTP_PROXY becomes a real or emulated environment variable
- An HTTP client that trusts HTTP_PROXY, and configures it as the proxy
- That client, used within a request handler, making an HTTP (as opposed to HTTPS) request
Vulnerable servers may allow an attacker to:
- Proxy the outgoing HTTP requests made by the web application
- Direct the server to open outgoing connections to an address and port of their choosing
- Tie up server resources by forcing the vulnerable software to use a malicious proxy
So what to do? The Sophos Naked Security blog recommends the following:
- Use your web server to strip out Proxy: headers. They’re redundant at best, because there’s no defined use for headers with this name, so you may as well throw them out. The HTTPoxy website has examples on how to do this with various web servers.
- Check for patches if you use vulnerable CGI configurations.
- Switch to HTTPS everywhere, inside and out. Generally speaking, the environment variable HTTP_PROXY has no effect on HTTPS connections. You’ll also be contributing to a less leaky Internet: the sort of online altruism that benefits everyone, including you.
- Consider blocking outbound requests from your web and CGI servers. If your servers need to go off-site, consider isolating your processes from the Internet by default, and then allow them to be listed only for the external content you expect them to need.
Consider deploying HTTPS Everywhere to all of your external and internal sites as HTTPS helps to:
- Provide security to all websites and pages regardless of content
- Mitigates known attacks such as SSLstrip and Firesheep
- Provide browser user privacy as to which sites they are viewing
- Support deployment of HSTS that will provide a browser error if the site is not secure
- Support deployment of HTTP/2 that will provide better performance and less latency to browsers
- Increases search engine optimization (SEO) for Google