From 99940dc31641308efe2915b8f2b37e06a475be59 Mon Sep 17 00:00:00 2001 From: Dhananjay Balan Date: Mon, 8 Apr 2019 17:20:37 +0200 Subject: [PATCH] Drafts for HSTS --- blog/2019-04-08-notes-on-hsts.markdown | 42 ++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 blog/2019-04-08-notes-on-hsts.markdown diff --git a/blog/2019-04-08-notes-on-hsts.markdown b/blog/2019-04-08-notes-on-hsts.markdown new file mode 100644 index 0000000..c2cb094 --- /dev/null +++ b/blog/2019-04-08-notes-on-hsts.markdown @@ -0,0 +1,42 @@ +--- +layout: post +title: "Notes on HSTS" +date: 2019-04-08 +comments: true +tags: hsts, security, privacy +--- + +I was recently looking into enabling HSTS sitewide on a medium sized +site, and went through a reading spree of specifications +involved. These are my notes. + +## What is HSTS + +HTTP Strict Transport Secrity is a mechanism for sites to signal that +they would only be serving a secure transport (read: TLS) to serve +content from these domains. It is defined in +[RFC6797](https://tools.ietf.org/html/rfc6797). + +### Threats mitigated +1. Passive network attackers + +Threats from people sniffing your network passivly, like someone else +on a public coffee shop wifi you are currently using. The best attack +I can think of is +[FireSheep](https://en.wikipedia.org/wiki/Firesheep). Firesheep is +mitigated by never sending session tokens in a clear transport. HSTS +helps browsers to force the transport to be secure and fail if someone +is trying to downgrade the connection to mount a firesheep style +attach. + +2. Active network attackers + +Threats from people inside the network, someone who has access to how +you get on the internet (someone who got access to your ISP or the +wifi router etc). An attack example is +[sslstrip](https://moxie.org/software/sslstrip/). sslstrip fools the +client into beliving a secure transport doesnot exist for a particular +domain, thus forcing it to send sensitve data over cleartext. HSTS +will be able to detect this and prevent connecting to the site. + +3. Deployment and management errors