Drafts for HSTS

blog/2019-04-08-notes-on-hsts.markdown

@@ -0,0 +1,42 @@
+---
+layout: post
+title: "Notes on HSTS"
+date: 2019-04-08
+comments: true
+tags: hsts, security, privacy
+---
+
+I was recently looking into enabling HSTS sitewide on a medium sized
+site, and went through a reading spree of specifications
+involved. These are my notes.
+
+## What is HSTS
+
+HTTP Strict Transport Secrity is a mechanism for sites to signal that
+they would only be serving a secure transport (read: TLS) to serve
+content from these domains. It is defined in
+[RFC6797](https://tools.ietf.org/html/rfc6797).
+
+### Threats mitigated
+1. Passive network attackers 
+
+Threats from people sniffing your network passivly, like someone else
+on a public coffee shop wifi you are currently using. The best attack
+I can think of is
+[FireSheep](https://en.wikipedia.org/wiki/Firesheep). Firesheep is
+mitigated by never sending session tokens in a clear transport. HSTS
+helps browsers to force the transport to be secure and fail if someone
+is trying to downgrade the connection to mount a firesheep style
+attach.
+
+2. Active network attackers
+
+Threats from people inside the network, someone who has access to how
+you get on the internet (someone who got access to your ISP or the
+wifi router etc). An attack example is
+[sslstrip](https://moxie.org/software/sslstrip/). sslstrip fools the
+client into beliving a secure transport doesnot exist for a particular
+domain, thus forcing it to send sensitve data over cleartext. HSTS
+will be able to detect this and prevent connecting to the site.
+
+3.  Deployment and management errors