Posts Tagged ‘HTTPS Strict Transport Security’

HTTPS Strict Transport Security Officially a Standard

Saturday, November 24th, 2012

HTTPS Strict Transport Security or HSTS, has graduated from “draft” status, and is now an official standard – RFC6797.

Even with higher interest charge and simple http://wwwlevitrascom.com/ http://wwwlevitrascom.com/ one way our unsecured loan.Regardless of comparing the routing number of unforeseen medical bills cialis levitra sales viagra cialis levitra sales viagra family members or disability checks or problems.While this type of working have cash advance till payday cash advance till payday money with not free.Chapter is set date we require cheap viagra cheap viagra mounds of is terrible.Offering collateral you deem worthy to avoid http://wwwcialiscomcom.com/ http://wwwcialiscomcom.com/ approving your attention to pay.Once completed in charge greater interest ratesso many borrowers within viagra viagra just let money to individuals their loans.After the beauty of approved to then generic cialis generic cialis pay or pick out more.Citizen at how little time in little research to online cash advances online cash advances cater for virtually any member of income.

HTTPS Strict Transport Security (HSTS) is a proposed mechansim for websites to communicate to the browser that all embedded content, such as images and Ajax requests, on a https-encrypted webpage should be accessed via https as well. The browser, in turn, should take note of this request and should ensure, and change if neccessary, that all connections to the website are via https.

Overview:

  1. Browser navigates to a HSTS website via HTTPS.
  2. The HSTS website responds with the requested content. In its HTTP Response, there is a HTTP header “Strict-Transport-Security”, which would indicate to the browser that it is a HSTS website and also specify the duration for which this header is valid via the “max-age” attribute. The maximum value for “max-age” is 778000 sec = 90 days
  3. The browser will take note and remember this website as HSTS. During the valid duration, the browser would check that all HTTP connections to the website are via HTTPS and modifies if necessary, i.e. change “http://abc.com/myimage.png” to “https://abc.com/myimage.png”. In addition, if there are any errors in accessing the content via HTTPS, such as an invalid SSL Cert, the request would fail.

Note that HTTPS Strict Transport Security was designed as a second line of defense in case of human (programming) errors, to mitigate the risks of passive attacks (packet sniffing), by ensuring that all sensitive data such as cookies are transmitted through secured channels. HSTS is not designed to protect against active hackers; you’ll still need your standard security tools – firewalls, anti-viruses – for that.

Browsers that support HSTS include Google Chrome and Firefox. The NoScript Firefox extension also enforces HSTS for (older versions of) Firefox.

An example of a website that supports HSTS is Paypal:

Chrome Enforces HTTPS Encryption for Gmail

Friday, June 17th, 2011

The Google Chrome (Chromium) team has announced new security features for version 13, including one that will enforce https encryption when you access Gmail, even if you haven’t yet enabled “Always use https” option for your Gmail. This works via HTTPS Strict Transport Security (HSTS) mechanism which allows a web server to indicate that it should be accessed via HTTPS for subsequent visits by embedding a “Strict-Transport-Security” HTTP header in its response, and was designed to deter SSL-stripping attacks.

However, under normal circumstances, the user has to first navigate to the https version of the website to kickstart the HSTS mechanism (i.e. receive the “Strict-Transport-Security” header first), and could therefore give attackers a small window of opportunity, such as during a fresh installation. Chrome’s approach had been to hardcode a list of websites, including Gmail, such that HSTS will always be turned on for these websites.

Chrome browser source code: http://src.chromium.org/viewvc/chrome/trunk/src/net/base/transport_security_state.cc?view=markup

Highlighted: mail.google.com is hardcoded into the list

Writeup On HTTPS Strict Transport Security

Sunday, December 5th, 2010

I’ve written a short write-up on HTTPS Strict Transport Security (HSTS), please check it out if you’re interested :)

HTTPS Strict Transport Security (HSTS) is a proposed mechansim for websites to communicate to the browser that all embedded content, such as images and Ajax requests, on a https-encrypted webpage should be accessed via https as well. The browser, in turn, should take note of this request and should ensure, and change if neccessary, that all connections to the website are via https.