Kennis HTTP Strict Transport Security

HTTP Strict Transport Security

For reasons of convenience most secure websites are accessible through both HTTP and HTTPS. On request, the HTTP site simply redirects the user to the HTTPS site. This method, however convenient, does pose a considerable security risk. Indeed hackers can easily perform a 'man in the middle attack' based on the HTTP request.

The HSTS specification was recently published to offer better protection. This specification adds an extra HTTP header to the HTTPS request.

<VirtualHost support.avisi.nl:443>
# Use HTTP Strict Transport Security to force client to use secure connections only
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

# Further Configuration goes here
[...]
</VirtualHost>

The extra header in the example above tells the browser to always use HTTPS for the site 'support.avisi.nl'. Even if the user navigates to http://support.avisi.nl on the client-side, it will be converted to https://support.avisi.nl. There will be no server-side redirection and therefore the 'man in the middle attack' is no longer possible.

So the 'man in the middle attack' is rendered useless by this specification? Well no... the very first request to the site still does depend on the server-side redirect. But from then on the client web browser will only accept HTTPS queries. Also this specification is quite recent so it will only work for the most recent browsers...

Help us keep the internet a safe place, use recent web browsers and implement the HSTS specification for your secure websites!

 

References: http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security