HTTP Strict Transport Security

mgoodwin

3

The lack of (or inconsistent use of) SSL puts users’ security and privacy at risk. Increasingly, popular sites require SSL not only for operations which are known to directly involve private data (login, etc) but for entire sessions. This is a good thing.

Unfortunately, there are a number of techniques an attacker can use to work around this. The most well known of these is SSL-Stripping in which an active man-in-the-middle can intercept traffic between the browser and the server, downgrading what should be an HTTPS connection to an unencrypted HTTP connection.

HSTS (HTTP Strict Transport Security) is designed to make attacks like this harder; it allows servers to specify that all subsequent connections must be made via HTTPS for a specified period of time. If a request is made over HTTP it will be automatically upgraded by the browser. Also, if the SSL certificate for an HSTS enabled site can’t be verified, the requested document won’t be loaded.

There’s a gap in this protection though; if your initial connection to a site is intercepted, not only could your connection still be downgraded but the attacker could also stop the browser from seeing the HSTS header too. This can be resolved for popular sites that use HSTS by means of an in-browser preload list (coming soon in Firefox 17 – currently in Beta). You can read more about preloading HSTS in our earlier post on the subject.

Firefox has supported HSTS since version 4; we think it’s about time your site did too. You can learn more about HSTS and how to implement it in this article on MDN.

3 responses

  1. Philipp wrote on ::

    “coming soon in Firefox 17 – currently in Beta” – FF17 is already released, did you mean 18?

  2. anon wrote on :

    “coming soon in Firefox 17 – currently in Beta”

    Firefox 17 has been released almost a month ago. And mozilla.beta is on version 18 atm afaik.
    According to “https://wiki.mozilla.org/Privacy/Features/HSTS_Preload_List” this feature has already been shipped.

  3. Daniel Veditz wrote on :

    The feature was definitely included in Firefox 17, which is no longer in Beta now but was on November 1 when the linked “earlier post on the subject” was published. Sorry about the post timing, I assume this must be an older article that got stuck since the day it was published was a holiday for the author (“Boxing Day” in the UK).