Securing HTTPS by using HTTP Strict Transport Security (HSTS)

« Previous: Homo Ludens or How I Learned to Stop Worrying and Love the Game | Next: A New Beginning, try 2 »

A little while ago I was writing about configuring SSL/HTTPS to secure my own website. In the meantime, I read about some “interesting” experiments the Chinese government seems to be running with Github, which reminded me of the equally nasty shenanigans employed by otherwise respectable ISPs (40% government owned by the way) in Romania a couple of years ago.

I therefore realised there was still some work to do to configure things correctly, so I went on and enabled “HTTP Strict Transport Security” (HSTS). This is a rather recent IETF standard supported by Google and PayPal and implemented in only a few browsers at the moment, but the list is growing. What it does is make sure the connection to the website will always start encrypted, instead of the usual going through an unsafe redirect first. Even if someone manually typed the HTTP URL, the browser would instead load the HTTPS one.

Adam Langley goes into more detail about HSTS and the advantages it brings on his own weblog. In a nutshell, enabling it for Apache is quite easy (“max-age” represents the time in seconds the browser will remember the setting):

<virtualhost _default_:443>
...
    # Enable HSTS
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
...
</virtualhost>

While HSTS closes one particular hole, I’ve only just scratched the surface of HTTPS gotchas (perfect forward secrecy for example remains an issue), and the entire SSL/CA infrastructure is still vulnerable to attacks from malicious state-owned entities. In any case, a step forward is a step forward, and there is work under way to improve the overall system — it’s a subject definitely worth keeping an eye on for every Internet user.

1 Comment

  1. Thank you for your blog article.Really thank you! Really Cool.

Leave a Reply

Your email address will not be published. Required fields are marked *

About Me

Facebook Google+ Twitter LinkedIn RSS

Quote of the Moment

  • Religion closes off the central questions of existence by attempting to dissuade us from further enquiry by asserting that we cannot ever hope to comprehend. We are, religion asserts, simply too puny. Through fear of being shown to be vacuous, religion denies the awesome power of human comprehension. It seeks to thwart, by encouraging awe in things unseen, the disclosure of the emptiness of faith. Religion, in contrast to science, deploys the repugnant view that the world is too big for our understanding. Science, in contrast to religion, opens up the great questions of being to rational discussion, to discussion with the prospect of resolution and elucidation. Science, above all, respects the power of the human intellect. Science is the apotheosis of the intellect and the consummation of the Rennaissance. Science respects more deeply the potential of humanity than religion ever can. P. W. Atkins
    The Limitless Power of Science