Can you explain how to secure websites using the HSTS protocol? Are the Web application security benefits large enough, in your opinion, to justify our spending time and resources to build HSTS support into our e-commerce infrastructure?
In its early incarnation, it was known as Strict Transport Security (STS), but HTTP Strict Transport Security (HSTS) is now an Internet Engineering Task Force (IETF draft specification. HSTS defines a mechanism to enable websites to declare themselves accessible only via secure connections, such as Transport Layer Security (TLS), and to instruct browsers to never load the site using HTTP, but automatically convert all attempts to access the site to HTTPS requests instead.
It is an opt-in security enhancement that is specified by a Web application through the use of the Strict-Transport-Security HTTP Response header field. Once a supported browser receives this header from a website it will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS. If your website already has a digital certificate and supports HTTPS then HSTS is fairly straightforward to implement. For sites using Apache, for example, you just need to enable mod_headers and add the following line to your HTTPS vhost stanza:
Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains"
The max-age value is the duration compliant browsers should remember the site is only to be accessed using HTTPS; in this example, roughly six months. (This expiration time is updated each time the user visits the site.) The "includeSubdomains" parameter is optional, but if specified applies HSTS to all of the site's sub domains as well. Wikipedia has further examples of implementing HSTS on other servers.
Implementing HSTS can help protect users against some passive and active network attacks. The most important security vulnerability it can fix is SSL-stripping man-in-the-middle attacks. These work by the attacker transparently converting a secure HTTPS connection into a plain HTTP connection. Although the user can see the connection is insecure, there’s no way for them to know whether the connection should be secure or not. A man-in-the-middle attacker can’t intercept any request to a site while the user's browser has HSTS active for that site. It also prevents users from overriding untrusted server certificates.
The main shortcoming of HSTS is an attacker could strip out the HSTS header when a user visits a site for the first time. Also, when the expiration time specified by the header elapses, the next attempt to load the site via HTTP will proceed as normal instead of automatically using HTTPS, something most users will be completely unaware of. HSTS is not a perfect solution, but it certainly reduces the window of opportunity for hackers. PayPal is one of the big sites using it on their HTTPS-only website. An alternative option is to do a permanent redirect (a 301 status code) to your HTTPS site, but HSTS is better in that it actually upgrades the request to HTTPS.
This was first published in November 2011