dbalan/blogng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Some more editing.

Browse Source
This commit is contained in:
Dhananjay Balan 2019-04-15 10:44:26 +02:00
parent ead1e13006
commit c82f35abc7
1 changed files with 7 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
blog/2019-04-08-notes-on-hsts.markdown
View File

@ -19,6 +19,7 @@ strict-transport-security: Strict-Transport-Security: max-age=31557600;
```
To an HSTS aware client (i.e all mordern browsers) this means
> _I swear that I will serve content on secure transport for atleast next 31557600 seconds (1 year)_
client can now cache this information, and if you ever get the
@ -40,7 +41,7 @@ But max age is only one of the directive, there are more.
HSTS helps enforce HTTPS much better for a user, thus helping us avoid
non-secure transport attacks much better.
1. Passive network attackers
### 1. Passive network attackers
Threats from people sniffing your network passivly, like someone else
on a public coffee shop wifi you are currently using. The best attack
@ -52,7 +53,7 @@ session tokens in a clear transport. HSTS helps browsers to force the
transport to be secure and fail if someone is trying to downgrade the
connection to mount a firesheep style attach.
2. Active network attackers
### 2. Active network attackers
Threats from people inside the network, someone who has access to how
you get on the internet (someone who got access to your ISP or the
@ -62,7 +63,7 @@ client into beliving a secure transport does not exist for a particular
domain, thus forcing it to send sensitve data over cleartext. HSTS
will be able to detect this and prevent connecting to the site.
3. Deployment and management errors
### 3. Deployment and management errors
Deploying https is getting easier everyday, but still quite tricky to
get right if you are deploying a complex system. HSTS helps prevent
@ -70,13 +71,14 @@ management errors where one might have accidently exposed some
services (I'm looking at you legacy cruft!) on a subdomain, or
embedded in a https site (so called mixed content errors)
4. No click through errors.
### 4. No clicking through errors.
HSTS also helps mitigate user errors, in case of breakage hsts spec forces
client to not allow users to override their
behaviour by clicking through.
## A note of caution
HSTS is pretty unforgiving (for a good reason) in cases of TLS
screwups. Also, its really hard to get out of preload lists. Make sure
your https deployment is rock stable pushing out HSTS, start with a
your https deployment is rock stable pushing out HSTS. Start with a
small time delta, and keep increasing after careful testing.