Categories: SSL/TLSWhat is

HTTPS Strict Transport Security (HSTS): What is It and How it Works?

Have you got HTTPS protocol working on your web server? If you answered in yes, that’s great. But have you got the HTTPS Strict Transport Security (HSTS) Policy implemented? I guess your answer is NO… and if it is true, then I’d like to tell you that it’s not a very wise thing. Why? We’ll try to understand that in this article:

The Problem with HTTP

While HTTP is a great protocol that was instrumental in starting the journey of World Wide Web, it has some weaknesses that make it a bad choice for confidential communications. The data transferred using an HTTP connection is transferred as it is, which means if someone can eavesdrop on your data packets he/she can see the entire content going through your HTTP connection (such attacks are called man-in-the-middle attacks). When you’re dealing with secure data (i.e. usernames, passwords, financial information etc.), this can become a major problem as leakage of such data can turn out to be very costly.

The Solution: HTTPS

This led to the development of HTTP Secure or HTTPS. This protocol is essentially HTTP, except for the difference that it encrypts the data being transferred between you and your server. So when you submit some data to a website with HTTPS connection, no one can see it except for you and the site to which you submitted it. But still problems.

But, There’s Still a Problem

So far, so good. However, there one small caveat. And that small caveat can be used by hackers to bypass HTTPS encryption and fool your browser into communicating over insecure HTTP protocol instead. Such attacks are known as protocol downgrade attacks, and with them, an attacker can keep you away from ever using HTTPS for any particular website.

But How’s It Possible?

The protocol downgrade attacks become possible due to a design flaw of HTTP and HTTPS. The thing is that when you first enter a website address in your browser or click a link, your browser tries to connect to that site via HTTP protocol. Now, if that site uses HTTPS, its server tells your browser to communicate with it over HTTPS instead.

Only then your browser proceeds the connection via secure HTTPS protocol. But the first request in this whole process was sent over HTTP… and that’s where a cyber criminal can do his trick.

Also Read MITM attack over HTTPS connection with SSLStrip

The cyber criminal can impersonate the web server of that site and then in first request (which is sent over HTTP) itself he can present the client with a web page that’s exact copy of the original web page residing on your server, but which will send the username and password to him instead. The attacker can then follow this strategy again and again… thus keeping the user away from ever using HTTPS protocol to communicate with your site.

The Solution: HTTP Strict Transport Security (HSTS)

The solution to this problem of protocol downgrade attacks is HTTP Strict Transport Security policy. What this policy does is telling the web browsers to communicate with your site over HTTPS protocol only and never use HTTP. After that message is communicated the browser remembers that it shouldn’t try to communicate with your website over HTTP, and initiates future requests to your site from HTTPS itself.

Besides that, all popular browsers also come with their own preloaded HSTS lists to which they can refer and figure out whether a website uses HSTS or not. This makes protocol downgrade attacks increasingly difficult.

How HSTS Works

The HSTS policy is enabled by adding the following field to your HTTPS response header:
Strict-Transport-Security: max-age=expireTime [; includeSubdomains]
This field communicates to the browser that your server wants to be accessed over HTTPS protocol only. The

The expire time value tells the browser about time duration for which your site should be accessed via HTTPS protocol only, and with include subdomains value you can apply the same policy to your desired sub domains as well in one go.

Once your website has communicated to popular web browsers with this HSTS policy for some time, the browser makers can also include your site to their pre-loaded list of HSTS sites, a post which your browser will not even need the above-given header to know whether you’ve HSTS enabled or not.

Conclusion

HSTS is a robust policy that you must implement in your web server to make it more secure in general. It’s especially important if your site requires the transfer of sensitive user data. Implement it today to provide the best possible security to your visitors.

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

View Comments

Recent Posts

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS devices.…

21 hours ago

ATPC Cyber Forum to Focus on Next Generation Cybersecurity and Artificial Intelligence Issues

White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch Experts…

3 days ago

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan exploits…

3 days ago

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on organizations…

3 days ago

Google Chrome Security, Critical Vulnerabilities Patched

Google has updated its Chrome browser, addressing critical vulnerabilities that posed potential risks to millions…

3 days ago

Notorious WrnRAT Delivered Mimic As Gambling Games

WrnRAT is a new malware attack that cybercriminals have deployed by using popular gambling games…

4 days ago