Drafts for HSTS
This commit is contained in:
parent
c022b9b66d
commit
99940dc316
42
blog/2019-04-08-notes-on-hsts.markdown
Normal file
42
blog/2019-04-08-notes-on-hsts.markdown
Normal file
@ -0,0 +1,42 @@
|
|||||||
|
---
|
||||||
|
layout: post
|
||||||
|
title: "Notes on HSTS"
|
||||||
|
date: 2019-04-08
|
||||||
|
comments: true
|
||||||
|
tags: hsts, security, privacy
|
||||||
|
---
|
||||||
|
|
||||||
|
I was recently looking into enabling HSTS sitewide on a medium sized
|
||||||
|
site, and went through a reading spree of specifications
|
||||||
|
involved. These are my notes.
|
||||||
|
|
||||||
|
## What is HSTS
|
||||||
|
|
||||||
|
HTTP Strict Transport Secrity is a mechanism for sites to signal that
|
||||||
|
they would only be serving a secure transport (read: TLS) to serve
|
||||||
|
content from these domains. It is defined in
|
||||||
|
[RFC6797](https://tools.ietf.org/html/rfc6797).
|
||||||
|
|
||||||
|
### Threats mitigated
|
||||||
|
1. Passive network attackers
|
||||||
|
|
||||||
|
Threats from people sniffing your network passivly, like someone else
|
||||||
|
on a public coffee shop wifi you are currently using. The best attack
|
||||||
|
I can think of is
|
||||||
|
[FireSheep](https://en.wikipedia.org/wiki/Firesheep). Firesheep is
|
||||||
|
mitigated by never sending session tokens in a clear transport. HSTS
|
||||||
|
helps browsers to force the transport to be secure and fail if someone
|
||||||
|
is trying to downgrade the connection to mount a firesheep style
|
||||||
|
attach.
|
||||||
|
|
||||||
|
2. Active network attackers
|
||||||
|
|
||||||
|
Threats from people inside the network, someone who has access to how
|
||||||
|
you get on the internet (someone who got access to your ISP or the
|
||||||
|
wifi router etc). An attack example is
|
||||||
|
[sslstrip](https://moxie.org/software/sslstrip/). sslstrip fools the
|
||||||
|
client into beliving a secure transport doesnot exist for a particular
|
||||||
|
domain, thus forcing it to send sensitve data over cleartext. HSTS
|
||||||
|
will be able to detect this and prevent connecting to the site.
|
||||||
|
|
||||||
|
3. Deployment and management errors
|
Loading…
Reference in New Issue
Block a user