Photo by FLY:D on Unsplash

HTTPS is not enough — Enable this protocol to secure communication

Using an HTTPS protocol is considered to be the best practice to secure communication over a network. But is this really effective? Turns out the answer is NO!

Why is HTTPS alone ineffective?

HTTPS protocol was originally created to serve the following purposes:

  • The bidirectional encryption of communications
  • Protect against man-in-the-middle attacks
  • Prevent eavesdropping and tampering of the communication

Unfortunately, the protocol was sound but a man-in-the-middle attack was possible by SSL stripping. In SSL stripping, an attacker forces the browser to connect to a website using HTTP to modify and intercept the communication.

As you must have guessed, the problem doesn’t lie with the HTTPS protocol but the way it is configured, allowing the websites to accept HTTP connections too.

HSTS to the rescue 🎉

HTTP Strict Transport Security (HSTS) is a mechanism that allows web servers to declare that web browsers should automatically interact with it using only HTTPS connections

How does it work?

When you enter a URL in the web browser, you skip the protocol part. For example, when you type www.secopsolution.com in such a case, the browser assumes that you want to use the HTTP protocol so it makes an HTTP request to www.secopsolution.com.
At this stage, the webserver replies with a redirect (301 response code) that points to the HTTPS site. The browser makes an HTTPS connection to www.secopsolution.com. This is when the HSTS security policy protection begins using an HTTPS response header:

Strict-Transport-Security: max-age=31536000

The Strict-Transport-Security header (we’ll talk about configuring this header in the next article) gives instructions to the browser to connect using HTTPS only for the duration of one year (31536000 seconds).

It serves two purposes :

  • HTTP connections are not allowed at all. If the browser receives a request to load a resource using HTTP, it must try an HTTPS request instead.
  • If HTTPS is not available, the connection must be terminated. If the certificate is not valid, you will be prevented from making a connection.

Is HSTS the ultimate security protocol?

Nooo! Welcome to the world of security, nothing is 100% secured (winks at Blockchain!).

The first time that you access the website on an HTTP protocol, you are not protected by HSTS because the browser waits for the initial redirect response and only then accepts the HSTS header from the webserver.

You should also know that the HSTS max-age is refreshed every time your browser reads the header and the maximum value is two years only.

But there is a way to overcome these hurdles. In the next article, we talk about how to configure HSTS for your website and workaround for the above issues.

--

--

--

Identifying top 1% Vulnerabilities in enterprise tech stack

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Fix and Recover corrupt Time Machine hard drive files

3 Main Benefits of Server Maintenance From Security Aspect

1.9 Million Records From Terrorist Watchlist Exposed Online

SESTA May Encourage the Adoption of Broken Automated Filtering Technologies

Cross-Site Request Forgery Protection using double Submit Cookies Pattern

Analysis of the Grim Finance Hack

Brute Force Attack Demonstration with Hydra

{UPDATE} A.L.E.X. Hack Free Resources Generator

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
SecOps Solution

SecOps Solution

Identifying top 1% Vulnerabilities in enterprise tech stack

More from Medium

Log4Shell & massive Kinsing deployment

Log4j zero-day attack: What is it and how to protect yourself?

Log4Shell exploited to implant coin miners