From c82f35abc7986b461a6d4508a6d07c59febe1689 Mon Sep 17 00:00:00 2001 From: Dhananjay Balan Date: Mon, 15 Apr 2019 10:44:26 +0200 Subject: [PATCH] Some more editing. --- blog/2019-04-08-notes-on-hsts.markdown | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/blog/2019-04-08-notes-on-hsts.markdown b/blog/2019-04-08-notes-on-hsts.markdown index 55ad4c5..485a2cc 100644 --- a/blog/2019-04-08-notes-on-hsts.markdown +++ b/blog/2019-04-08-notes-on-hsts.markdown @@ -19,6 +19,7 @@ strict-transport-security: Strict-Transport-Security: max-age=31557600; ``` To an HSTS aware client (i.e all mordern browsers) this means + > _I swear that I will serve content on secure transport for atleast next 31557600 seconds (1 year)_ client can now cache this information, and if you ever get the @@ -40,7 +41,7 @@ But max age is only one of the directive, there are more. HSTS helps enforce HTTPS much better for a user, thus helping us avoid non-secure transport attacks much better. -1. Passive network attackers +### 1. Passive network attackers Threats from people sniffing your network passivly, like someone else on a public coffee shop wifi you are currently using. The best attack @@ -52,7 +53,7 @@ session tokens in a clear transport. HSTS helps browsers to force the transport to be secure and fail if someone is trying to downgrade the connection to mount a firesheep style attach. -2. Active network attackers +### 2. Active network attackers Threats from people inside the network, someone who has access to how you get on the internet (someone who got access to your ISP or the @@ -62,7 +63,7 @@ client into beliving a secure transport does not exist for a particular domain, thus forcing it to send sensitve data over cleartext. HSTS will be able to detect this and prevent connecting to the site. -3. Deployment and management errors +### 3. Deployment and management errors Deploying https is getting easier everyday, but still quite tricky to get right if you are deploying a complex system. HSTS helps prevent @@ -70,13 +71,14 @@ management errors where one might have accidently exposed some services (I'm looking at you legacy cruft!) on a subdomain, or embedded in a https site (so called mixed content errors) -4. No click through errors. +### 4. No clicking through errors. HSTS also helps mitigate user errors, in case of breakage hsts spec forces client to not allow users to override their behaviour by clicking through. ## A note of caution + HSTS is pretty unforgiving (for a good reason) in cases of TLS screwups. Also, its really hard to get out of preload lists. Make sure -your https deployment is rock stable pushing out HSTS, start with a +your https deployment is rock stable pushing out HSTS. Start with a small time delta, and keep increasing after careful testing.