Securing HTTPS by using HTTP Strict Transport Security (HSTS)

Server Screenshot

A little while ago I was writing about configuring SSL/HTTPS to secure my own website. In the meantime, I read about some "interesting" experiments the Chinese government seems to be running with Github, which reminded me of the equally nasty shenanigans employed by otherwise respectable ISPs (40% government owned by the way) in Romania a couple of years ago.

I therefore realised there was still some work to do to configure things correctly, so I went on and enabled "HTTP Strict Transport Security" (HSTS). This is a rather recent IETF standard supported by Google and PayPal and implemented in only a few browsers at the moment, but the list is growing. What it does is make sure the connection to the website will always start encrypted, instead of the usual going through an unsafe redirect first. Even if someone manually typed the HTTP URL, the browser would instead load the HTTPS one.

Adam Langley goes into more detail about HSTS and the advantages it brings on his own weblog. In a nutshell, enabling it for Apache is quite easy ("max-age" represents the time in seconds the browser will remember the setting):

<Virtualhost _default_:443>
...
# Enable HSTS
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
...
</Virtualhost>

While HSTS closes one particular hole, I've only just scratched the surface of HTTPS gotchas (perfect forward secrecy for example remains an issue), and the entire SSL/CA infrastructure is still vulnerable to attacks from malicious state-owned entities. In any case, a step forward is a step forward, and there is work under way to improve the overall system — it's a subject definitely worth keeping an eye on for every Internet user.

Comments

You may also like: