What is HSTS?
HSTS is a web security policy by which the website inform the browsers that it should never load the site using HTTP but only using HTTPS protocol. This security feature helps the secure HTTPS web servers to be protected against downgrade attacks (also known as SSL stripping attacks).
SSL Stripping
Now you may be wondering about what is SSL Stripping. In simple words, SSL Strip is stripping https:// URLs and turning them into http:// URLs.
How SSL Stripping occurs: An example
Suppose that a person ‘A’ log into a free WiFi access point at an airport and start surfing the web. Meanwhile he visited his online banking service to check the balance or to pay a bill. Unfortunately, the access point which he is using is actually a hacker’s laptop (B).
Suppose A entered the url www.bank.com/online_banking, and is waiting for the response from the server (C). Here his browser (A) is connected to the attackers machine(B) hence the Attacker forwards his request and waits for the response from the bank server. Now the connection between B and C becomes secure, which means that all the traffic that is transferred between them (B & C) is through the SSL tunnel.
The server responds to this request with the login page that has the following URL: https://www.bank.com/online_banking.
At this stage, the attacker has access to the login page. Next, attacker B modifies the response from the server from https to http and sends it to victim (A), that is URL http://www.bank.com/online_banking is send to victim A.
At this point, the victim has access to the internet banking login page with an unsecure connection with the attacker. From this point onwards, all the victim’s requests go out in the Plain text format and the attacker can collect his login credentials and data.
The Server thinks it has successfully established the connection, but here the connection is established between the attacker and the server (i.e., between B & C), while the victim (A) also thinks that it is a legitimate connection.
The main problem with SSL stripping is that the browser won’t display any SSL Certificate errors and the victims have no clue that such an attack is going on.
This attack is also known as HTTP-downgrading attacks, where the connection established by the victim’s browser is downgraded from HTTPs to HTTP.
Proposed Solutions
1. Enable HSTS (HTTP Strict Transport Security)
2. Install the HTTPS Everywhere plugin for web browser. This will attempt to make all HTTP requests via TLS first and return to regular HTTP only if it fails.
Why HSTS was created?
When we try to access a site it initially loads http page and is redirected to the https page, but here the user is actually communicating with the non-encrypted version of the site before it is redirected. This gives a way for the man-in-the-middle of attack where the redirect can be used to direct this user to a malicious site instead of the secure version of the required site.
A man-in-the-middle attack is an attack where the attacker alters the communication between two parties who believe that they are directly communicating with each other. An example is SSL stripping attack.
Once the attacker has successfully redirected a user, user data including cookies, can be compromised. Unfortunately, this attack is outside the scope of pure SSL. This is why HSTS was created.
How to configure HSTS for your domain?
In order to configure HSTS, add the following line in the .htaccess file which contains the redirect rule (redirect http to https):
Strict-Transport-Security: "max-age=15552000; includeSubDomains; preload"
The configurable parameters for HSTS are as follows:
| Parameter | Purpose |
| Strict-Transport-Security | Enable HSTS |
| max-age | A “time to live” field for the HSTS header. A value of “0” will disable HSTS. |
| includeSubDomains | Apply HSTS Policy to subdomains |
Here, the max-age value is in seconds. Once a web browser has been to the site once and received the header it will remember that the site should only be accessed over HTTPS for the duration of the max-age value. It is recommended that value of max-age should be 6 months or more.
