dbalan/blogng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Some more editing.

Browse Source
This commit is contained in:
Dhananjay Balan 2019-04-15 10:44:26 +02:00
parent ead1e13006
commit c82f35abc7
1 changed files with 7 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
blog/2019-04-08-notes-on-hsts.markdown
View File

@ -19,6 +19,7 @@ strict-transport-security: Strict-Transport-Security: max-age=31557600;
``` ```
To an HSTS aware client (i.e all mordern browsers) this means To an HSTS aware client (i.e all mordern browsers) this means
> _I swear that I will serve content on secure transport for atleast next 31557600 seconds (1 year)_ > _I swear that I will serve content on secure transport for atleast next 31557600 seconds (1 year)_
client can now cache this information, and if you ever get the client can now cache this information, and if you ever get the
@ -40,7 +41,7 @@ But max age is only one of the directive, there are more.
HSTS helps enforce HTTPS much better for a user, thus helping us avoid HSTS helps enforce HTTPS much better for a user, thus helping us avoid
non-secure transport attacks much better. non-secure transport attacks much better.
1. Passive network attackers ### 1. Passive network attackers
Threats from people sniffing your network passivly, like someone else Threats from people sniffing your network passivly, like someone else
on a public coffee shop wifi you are currently using. The best attack on a public coffee shop wifi you are currently using. The best attack
@ -52,7 +53,7 @@ session tokens in a clear transport. HSTS helps browsers to force the
transport to be secure and fail if someone is trying to downgrade the transport to be secure and fail if someone is trying to downgrade the
connection to mount a firesheep style attach. connection to mount a firesheep style attach.
2. Active network attackers ### 2. Active network attackers
Threats from people inside the network, someone who has access to how Threats from people inside the network, someone who has access to how
you get on the internet (someone who got access to your ISP or the you get on the internet (someone who got access to your ISP or the
@ -62,7 +63,7 @@ client into beliving a secure transport does not exist for a particular
domain, thus forcing it to send sensitve data over cleartext. HSTS domain, thus forcing it to send sensitve data over cleartext. HSTS
will be able to detect this and prevent connecting to the site. will be able to detect this and prevent connecting to the site.
3. Deployment and management errors ### 3. Deployment and management errors
Deploying https is getting easier everyday, but still quite tricky to Deploying https is getting easier everyday, but still quite tricky to
get right if you are deploying a complex system. HSTS helps prevent get right if you are deploying a complex system. HSTS helps prevent
@ -70,13 +71,14 @@ management errors where one might have accidently exposed some
services (I'm looking at you legacy cruft!) on a subdomain, or services (I'm looking at you legacy cruft!) on a subdomain, or
embedded in a https site (so called mixed content errors) embedded in a https site (so called mixed content errors)
4. No click through errors. ### 4. No clicking through errors.
HSTS also helps mitigate user errors, in case of breakage hsts spec forces HSTS also helps mitigate user errors, in case of breakage hsts spec forces
client to not allow users to override their client to not allow users to override their
behaviour by clicking through. behaviour by clicking through.
## A note of caution ## A note of caution
HSTS is pretty unforgiving (for a good reason) in cases of TLS HSTS is pretty unforgiving (for a good reason) in cases of TLS
screwups. Also, its really hard to get out of preload lists. Make sure screwups. Also, its really hard to get out of preload lists. Make sure
your https deployment is rock stable pushing out HSTS, start with a your https deployment is rock stable pushing out HSTS. Start with a
small time delta, and keep increasing after careful testing. small time delta, and keep increasing after careful testing.