Think if you in public location like in a hotel or park and you got a chance to use free Wifi. And if a hacker is in the same network then he/she can use packet sniffing tools and sniff all of the connection going over this unsecured and unencrypted network.
Hacker could capture all Http traffic if any website the client is browsing is just supporting HTTPS. Also, the hacker can capture the package if the sites are just redirecting from HTTP to HTTPS using 301 permanent redirections.
Event getting an SSL or TLS certificate for websites is not enough.HTTPS still has some defects that can be fixed by HSTS.So, its the role of web developers or IT specialists to use HSTS over just HTTPS. So using HSTS may prevent your sites from SSL stripping man in middle attacks which we will discuss later.
Before going to the topic, let's know about SSL Stripping
What is SSL Stripping?
SSL Stripping is a man in the middle attack.
Suppose you as a client make a request and you usually make a request by skipping the protocol part and you just type www.xyz.com instead of https://www.xyz.com. In this case, the web browser will do 301 permanent redirections to the https version of the XYZ website (if https is enabled). Then for the next time, the browser will always send https version of the websites if the user types HTTP versions of the same sites.
But for the first time if you have a get request using unencrypted HTTP to the webserver. Since Http is unencrypted and can be a man in the middle and someone can intercept it and forward your request to hacker sites using arp poisoning techniques. So, the user gets redirected to hacker sites and when the user enters username and password in hacker sites then user important data gets leaked. So, your first request can have the man in the middle.
So this type of attack is SSL Stripping Attack. And HSTS is originally created to prevent this first request attack ie. SSL Stripping Attack.
What is HSTS?
HSTS is a mechanism that protects the security of websites from protocol-downgrade attacks(TLS) and cookie hijacking. This HSTS technology was invented to prevent the SSL Stripping attack which is a type of man in the middle attack.
How HSTS prevent SSL Stripping Attack?
Browser (client-side) and Webserver (server-side ) both play a role in preventing SSL Stripping Attack.
From the browser perspective:
Every popular browser like chrome, firefox, safari, Opera, IE 11 and edge has created an HTTP Strict Transport Security (HSTS) preload list of the most popular websites like google, youtube, Facebook and many more. So, even you request google.com (with HTTP or https protocol ) for the first time, the browser will automatically redirect to the https version of google.com. Actually what happening is: In the browser preload list there is the list of popular websites which browser uses to force the user to redirect to the https version of those sites. So, even the first request attack got prevented. And also it ensures an end to end encryption.
The only weakness is that the updated list is only available with new browser versions, which makes the update process slow and when you have recently added your domain, there can be no assurance that your websites will already be preloaded.
From the webserver perspective:
From the server-side, websites must support HTTPS and must have strict Transport Security Header so if anyone request for your websites or web apps then the browser will know the site is using HSTS Security.
Simple HSTS header will look like this:
15768000 is in second, which is equal to 1 year.
Note, you must communicate with the webserver at least once so that your websites will be added in the HSTS preload list.
Browser Supporting HSTS
|Internet Explorer||11 and greater|
|Edge||12 and greater|
|Firefox||4 and greater|
|Google Chrome||4 and greater|
|Safari||7 and greater|
|Opera||12.1 and greater|
|IOS Safari||7 and greater|
|Opera Mini||Doesnot support|
|Android Browser||4.4 and greater|
|Chrome for android||80 and greater|
|Samsung Internet||4 and greater|
|Baidu Browser||7.2 and greater|
|KaiOS Browser||2.5 and greater|
How to do the HSTS Test for a Website?
- Visit https://gf.dev/hsts-test
- Type site name which you want to do HSTS Test
- Then look at the report generated by it.
Alternatively, click here and find your sites on that list or not.
Who maintains and runs HSTS preload Service?
Google runs and maintains the preloaded program for HSTS. By following guidelines and adding HSTS header for your websites successfully, the browser will never use an unsecured HTTP link to connect to your domain. Although Google hosts the service, all browsers supporting HSTS can use the preload list provided by Google.
How to submit site HSTS requests to the preload list?
First, ensure that you follow all preload submission criteria to submit your website to the list:
- First, make sure that you have a valid SSL Certificate.
- Redirect all HTTP requests to HTTPS.
- Include HSTS header on your website.
- Use max-age of 1 year or more in the header.
Do I need to implement HSTS on my website?