Your cart is currently empty!
Is HTTPS Enough? Consider Implementing HSTS
HTTP Strict Transport Security (HSTS)
By now, many organisations are already aware of Hyper-Text Transfer Protocol (HTTP) versus Hyper-Text Transfer Protocol Secure (HTTPS). For those who are not, the only difference between the two protocols is that HTTPS uses Transport-Layer Security (TLS), or its inferior alternative, Secure Socket Layer (SSL) to encrypt normal HTTP requests and responses. As a result, HTTPS is far more secure than HTTP. A website that uses HTTP has ‘http://’ in its URL, while a website that uses HTTPS has ‘https://’ – Simply put, HTTPS is HTTP, but with encryption
However, cyber-attackers can still use a technique known as SSL Stripping to intercept this connection and replace the valid encryption certificate with their own, as a result, they are now able to view the connection in clear-text (without encryption). Therefore, we should use Hyper-Text Transfer Protocol Strict Transport Security, more easily referred to as HTTP Strict Transport Security or HSTS.
What is HSTS?
HSTS is a web security policy mechanism – This technology instructs web browsers that they should ONLY interact with the web server using a HTTPS connection.
This should not be confused with “Forwarding” or “Redirecting”.
Even if you forward or redirect all HTTP traffic to HTTPS, this will not prevent SSL Stripping or Man-in-the-Middle attacks. This is because the initial request before the forward or redirect takes please could still be over an unencrypted version of the site (HTTP). For example, the visitor types http://www.securecorp.com/ or even just securecorp.com. This creates an opportunity for a man-in-the-middle attack. The redirect could be exploited to direct visitors to a malicious site instead of the secure version of the original site.
The difference is that HSTS has an explicit instruction to only use HTTPS upfront and will drop the connection if there is an attempt to do certificate replacement. This is because the HSTS header informs the browser that it should never load a site using HTTP and should automatically convert all attempts to access the site using HTTP to HTTPS requests instead.
The HSTS function sends a header field named “Strict-Transport-Security” from the website (server) to the browser (user agent), which specifies a period of time when the browser can access the server securely.
However, there are important considerations to keep in mind: Enable HTTPS before HSTS or browsers cannot accept your HSTS settings. Once HSTS is enabled, HTTPS must remain enabled or visitors cannot access your site.
Note: The Strict-Transport-Security header is ignored by the browser when your site is accessed using HTTP; this is because an attacker may intercept HTTP connections and inject the header or remove it. When your site is accessed over HTTPS with no certificate errors, the browser knows your site is HTTPS capable and will honor the Strict-Transport-Security header.
Why Should You Use HSTS?
As stated above, HTTP requests are unencrypted, in plain-text, which can easily be read or monitored by cybercriminals, which means that with the right kind of technique, a cyber-criminal could potentially spy on all activity between the browser and website. This could be customers using your wi-fi to make payments, or even employees performing business transactions. The possibilities for attackers are endless, yet the effort to implement is low and now additional technology investment is required.
Example: You log into a free WiFi access point at an airport and start surfing the web, visiting your online banking service to check your balance and pay a couple of bills. Unfortunately, the access point you’re using is actually a hacker’s laptop, and they’re intercepting your original HTTP request and redirecting you to a clone of your bank’s site instead of the real thing. Now your private data is exposed to the hacker.
Strict Transport Security resolves this problem; as long as you’ve accessed your bank’s web site once using HTTPS, and the bank’s web site uses Strict Transport Security, your browser will know to automatically use only HTTPS, which prevents hackers from performing this sort of man-in-the-middle attack.
In practical terms, HSTS makes it almost impossible for someone to steal your customers’ information by attempting SSL Stripping or a Man-in-the-Middle Attack. This is because the browser will not allow the connection when the attempt is made. Instead, the browser will display an error message and the user will not have the option to “Accept”, “Ignore” or “Bypass” the error message. Also, any attempt to access your website will be forced to connect over an HTTPS connection and will terminate any connection on a simple HTTP request. This means any online activity you need to run your business will be kept secure and protected.
Give Me the Technical Details
- Strict-Transport-Security: max-age=<expire-time>
- Strict-Transport-Security: max-age=<expire-time>; includeSubDomains
- Strict-Transport-Security: max-age=<expire-time>; preload
max-age=<expire-time>
The time, in seconds, that the browser should remember that a site is only to be accessed using HTTPS.
includeSubDomains (Optional)
If this optional parameter is specified, this rule applies to all of the site’s subdomains as well.
preload (Optional)
Google maintains an HSTS preload service. By following the guidelines and successfully submitting your domain, browsers will never connect to your domain using an insecure connection.
How Can We Help?
CyberSec is equipped to offer cybersecurity advisory, consulting and sultions on multiple fronts, including HSTS protocols. Our team can effectively implement this security solution without additional technology investment on your part. With our industry expertise and experience in exposing and protecting cybersecurity vulnerabilities, you’ll know that you’re receiving the best possible protection from the risks identified above.