---
layout: post
title: "Notes on HSTS"
date: 2019-04-08
comments: true
tags: hsts, security, privacy
---

I was recently looking into enabling HSTS sitewide on a medium sized
site, and went through a reading spree of specifications
involved. These are my notes.

## What is HSTS

HTTP Strict Transport Secrity is a mechanism for sites to signal that
they would only be serving a secure transport (read: TLS) to serve
content from these domains. It is defined in
[RFC6797](https://tools.ietf.org/html/rfc6797).

### Threats mitigated
1. Passive network attackers 

Threats from people sniffing your network passivly, like someone else
on a public coffee shop wifi you are currently using. The best attack
I can think of is
[FireSheep](https://en.wikipedia.org/wiki/Firesheep). Firesheep is
mitigated by never sending session tokens in a clear transport. HSTS
helps browsers to force the transport to be secure and fail if someone
is trying to downgrade the connection to mount a firesheep style
attach.

2. Active network attackers

Threats from people inside the network, someone who has access to how
you get on the internet (someone who got access to your ISP or the
wifi router etc). An attack example is
[sslstrip](https://moxie.org/software/sslstrip/). sslstrip fools the
client into beliving a secure transport doesnot exist for a particular
domain, thus forcing it to send sensitve data over cleartext. HSTS
will be able to detect this and prevent connecting to the site.

3.  Deployment and management errors