What Is HSTS and How Does It Protect HTTPS From Hackers?

You may have made sure that your websites have SSL enabled, and the pretty security padlock in your browser is green. However, you may have forgotten about HTTP’s little security man, HTTP Strict Transport Security (HSTS).

What is HSTS, and how can it help keep your site secure?

What Is HTTPS?

HTTPS relies on HSTS

computer science computer science computer science computer science computer science computer science

Hyper Text Transfer Protocol Secure (HTTPS) is a secured version of a website (HTTP). The encryption is enabled using the Secure Sockets Layer (SSL) protocol and is validated with an SSL certificate. When you connect to an HTTPS website, the information transferred between the website and the user is encrypted.

This encryption helps protect you against data theft through Man-in-the-Middle-Attacks (MITM). The added layer of security also slightly helps improve the reputation of your website. In fact, adding an SSL certificate is so easy, that many web hosts will add it to your site by default, for free! That said, HTTPS still has some flaws that HSTS can help fix. computer science computer science computer science computer science computer science computer science

What Is HSTS?

HSTS is a response header that informs a browser that enabled websites can only be accessed via HTTPS. This forces your browser to only being able to access the HTTPS version of the website and any resources on it.

You may not be aware that even though you have set up your SSL certificate correctly and enabled HTTPS for your website, that the HTTP version is still available. This is true even if you have set up forwarding using 301 Permanent Redirection. computer science computer science computer science computer science computer science computer science

Although the HSTS policy has been around for a little while, it was only formally rolled out by Google in July 2016. Which may be why you haven’t heard of it much yet. computer science computer science computer science computer science computer science computer science

Enabling HSTS will stop SSL protocol attacks and cookie hijacking, two additional vulnerabilities in SSL-enabled websites. And in addition to making a website more secure, HSTS will make sites load quicker by removing a step in the loading procedure. computer science computer science computer science computer science computer science computer science

What Is SSL Stripping?

Although HTTPS is a huge improvement from HTTP, it’s not invulnerable to being hacked. SSL stripping is a very common MITM hack for websites that uses redirection to send users from an HTTP to the HTTPS version of their website.

computer science computer science computer science computer science computer science computer science

301 (permanent) and 302 (temporary) redirect basically works like this:

  1. A user types google.com in their browser’s address bar.
  2. The browser initially tries to load http://google.com as the default.
  3. “Google.com” is set up with a 301 permanent redirect to https://google.com.
  4. The browser sees the redirect and loads https://google.com instead.

With SSL stripping, the hacker can use the time between step 3 and step 4 to block the redirect request and stop the browser from loading the secure (HTTPS) version of the website. As you are then accessing an unencrypted version of the website, any data you enter can be stolen.

The hacker can also redirect you to a copy of the website you are trying to access, and capture all of your data as you enter it, even if it looks secure. computer science computer science computer science computer science computer science computer science

Google has implemented steps in Chrome to stop some types of redirection. However, enabling HSTS should be something you do by default for all of your websites from now on.

Prev1 of 4Next

Leave a Reply

Your email address will not be published. Required fields are marked *