Securing HTTPS by using HTTP Strict Transport Security (HSTS)

« Previous: Homo Ludens or How I Learned to Stop Worrying and Love the Game | Next: A New Beginning, try 2 »

A little while ago I was writing about configuring SSL/HTTPS to secure my own website. In the meantime, I read about some “interesting” experiments the Chinese government seems to be running with Github, which reminded me of the equally nasty shenanigans employed by otherwise respectable ISPs (40% government owned by the way) in Romania a couple of years ago.

I therefore realised there was still some work to do to configure things correctly, so I went on and enabled “HTTP Strict Transport Security” (HSTS). This is a rather recent IETF standard supported by Google and PayPal and implemented in only a few browsers at the moment, but the list is growing. What it does is make sure the connection to the website will always start encrypted, instead of the usual going through an unsafe redirect first. Even if someone manually typed the HTTP URL, the browser would instead load the HTTPS one.

Adam Langley goes into more detail about HSTS and the advantages it brings on his own weblog. In a nutshell, enabling it for Apache is quite easy (“max-age” represents the time in seconds the browser will remember the setting):

<Virtualhost _default_:443>
# Enable HSTS
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

While HSTS closes one particular hole, I’ve only just scratched the surface of HTTPS gotchas (perfect forward secrecy for example remains an issue), and the entire SSL/CA infrastructure is still vulnerable to attacks from malicious state-owned entities. In any case, a step forward is a step forward, and there is work under way to improve the overall system — it’s a subject definitely worth keeping an eye on for every Internet user.

1 Comment

  1. Thank you for your blog article.Really thank you! Really Cool.

Leave a Reply

Your email address will not be published. Required fields are marked *

About Me

Facebook Twitter LinkedIn RSS

Quote of the Moment

  • Christianity: An invisible and all-knowing friend of mine made our male ancestor out of dirt, and made our female ancestor out of his rib, but our ancestors were tempted by a snake which was actually an enemy of my invisible friend and they ate a forbidden apple, so now all of us go to burn forever after we die unless we believe that my friend’s son’s blood is on us and in us and that this son died and rose zombie-like from the dead and floated up to heaven and sent his ghost to live inside of us. He is coming soon! Biblical Errancy list