What is HSTS and do I want to enable it?
If you are a website owner or admin, keep reading to know more!
Imagine you are browsing to your online banking page. You are redirected to HTTPS automatically every time, you sign in and do your business privately and all is good. Now imagine someone bad wants to steal your username and password. Usually that would be performed by a MITM (Man In The Middle) Attack, but it’s not so simple because the connection is encrypted and a MITM Attack would cause a browser warning about an invalid certificate, you might think.
But in reality, there is something called a protocol downgrade attack. It is a kind of MITM attack that causes your browser to think the website you are trying to access cannot do HTTPS and should use HTTP instead. That way, your browser will simply use HTTP instead of HTTPS and your attacker can read all the data during transport, and there won’t be a warning in your browser. If you don’t pay attention to the missing “green lock”, you wouldn’t even know anything is different from the usual.
But how to prevent this?
This is where HTTP Strict Transport Security or HSTS for short comes into play. It is a method for the web server to let your browser (on first successful HTTPS connection) know that the site should only be connected to through HTTPS and not through HTTP. It is kind of a security cookie if you will. That way, if you want to access the site again in the future and someone tries to perform a protocol downgrade attack, it won’t work because your browser remembers it should only use HTTPS.
But there is a catch. Because it is kind of like a cookie, it also has an expiry date like a cookie. Sure, you can set the HSTS to be valid for a year if you want, but you know NTP? Yes, the old unencrypted Network Timing Protocol? You could in theory do a MITM attack on NTP to send your victim’s machine into the future, where the HSTS “cookie” won’t be valid any more and thus perform a protocol downgrade attack. :)
While this is a theoretical attack, it is plausible that someone with enough motivation would perform such an attack. But having HSTS is still better than not having any protection at all, in my opinion.
Also, some browsers like Google Chrome and Mozilla Firefox come preloaded with a list of HSTS enabled sites, to avoid ever connecting to them through HTTP. But as you might imagine, it cannot cover every site on the web.
How can I protect myself as a user?
There is a browser extension called HTTPS Everywhere by eff.org, which also includes a list of sites that support HTTPS and redirect your browser to the HTTPS version before even connecting to the server. But it also cannot cover every site on the web, of course. There is a plus though, as the extension allows you to completely block HTTP altogether. I use the extension myself.
I hope this article was interesting and easy to read and understand. :)