1.5 KiB
| layout | title | date | comments | tags |
|---|---|---|---|---|
| post | Notes on HSTS | 2019-04-08 | true | hsts, security, privacy |
I was recently looking into enabling HSTS sitewide on a medium sized site, and went through a reading spree of specifications involved. These are my notes.
What is HSTS
HTTP Strict Transport Secrity is a mechanism for sites to signal that they would only be serving a secure transport (read: TLS) to serve content from these domains. It is defined in RFC6797.
Threats mitigated
- Passive network attackers
Threats from people sniffing your network passivly, like someone else on a public coffee shop wifi you are currently using. The best attack I can think of is FireSheep. Firesheep is mitigated by never sending session tokens in a clear transport. HSTS helps browsers to force the transport to be secure and fail if someone is trying to downgrade the connection to mount a firesheep style attach.
- Active network attackers
Threats from people inside the network, someone who has access to how you get on the internet (someone who got access to your ISP or the wifi router etc). An attack example is sslstrip. sslstrip fools the client into beliving a secure transport doesnot exist for a particular domain, thus forcing it to send sensitve data over cleartext. HSTS will be able to detect this and prevent connecting to the site.
- Deployment and management errors