SSL Security – HTTP Strict Transport Security

Wikipedia defines HSTS for SSL Security As

HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL[1]). HSTS is an IETF standards track protocol and is specified in RFC 6797. The HSTS Policy is communicated by the server to the user agent via an HTTP response header field named “Strict-Transport-Security“. HSTS Policy specifies a period of time during which the user agent shall access the server in only secure fashion.

The most important security vulnerability that HSTS can fix is SSL-stripping man-in-the-middle attacks, first publicly introduced by Moxie Marlinspike in his 2009 BlackHat Federal talk “New Tricks For Defeating SSL In Practice.” The SSL stripping attack works (on both SSL and TLS) by transparently converting a secure HTTPS connection into a plain HTTP connection. The user can see that the connection is insecure, but crucially there is no way of knowing whether the connection should be secure. Many websites do not use TLS/SSL, therefore there is no way of knowing (without prior knowledge) whether the use of plain HTTP is due to an attack, or simply because the website hasn’t implemented TLS/SSL. Additionally, no warnings are presented to the user during the downgrade process, making the attack fairly subtle to all but the most vigilant. Marlinspike’s sslstrip tool fully automates the attack. HSTS addresses this problem by informing the browser that connections to the site should always use TLS/SSL. The HSTS header can be stripped by the attacker if this is the user‘s first visit. Google Chrome and Mozilla Firefox attempt to limit this problem by including a “pre-loaded” list of HSTS sites. Unfortunately this solution cannot scale to include all websites on the internet; a potential solution might be achieved by using DNS records to declare HSTS Policy, and accessing them securely via DNSSEC, optionally with certificate fingerprints to make sure validity (although DNSSEC will have secure last mile issues for the foreseeable future). HSTS can also help to prevent having one’s cookie-based website login credentials stolen. You can carry out this right away.

What is HSTS Pre-loading

HSTS Preloading is a browser feature whereby a global list of hosts that wish to enforce the use of SSL/TLS on their site is built into a web browser‘s software. This list is compiled by Google and is utilised by Chrome, Firefox and Safari. These sites do not depend on the issuing of the HSTS response header to enforce the policy, instead the browser is already aware that the host requires the use of SSL/TLS before any connection or communication even takes place. This removes the opportunity an attacker has to intercept and tamper with redirects that take place over HTTP. This isn’t to say that the host needs to stop issuing the HSTS response header, this must be left in place for those browsers that don’t use preloaded HSTS lists.

Once you have installed my recommendations, go to HSTS Preloading Application Form and get your website listed in the preload list. It will take time for your domain to be included in that list.

Apache HSTS

I would recommend insertion in a custom vhost addition. Consult your webmaster for implementation.

 lighttpd HSTS

If you run this web engine, please comment how to improve the instructions for insertion.

 nginx HSTS

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";

IIS HSTS

In addition to the code below,  an open source module is available for implementation in Internet Information Services.

This YouTube video, “OWASP Appsec Tutorial Series – Episode 4″, describes the importance of using HTTPS for all sensitive communication, and how the HTTP Strict Transport Security header can be used to make sure greater security, by transforming all HTTP links to HTTPS automatically in the browser.

Google Webmaster Tools stopped indexing after implementation.

so I went to http://stackoverflow.com/questions/22733108/hsts-blocks-googlebot to find answers.

2 thoughts on “SSL Security – HTTP Strict Transport Security”

  1. Pingback: Denver Prophit Jr.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.