Using an HTTPS protocol is considered to be the best practice to secure communication over a network. But is this really effective? Turns out the answer is NO!
Why is HTTPS alone ineffective?
HTTPS protocol was originally created to serve the following purposes:
- The bidirectional encryption of communications
- Protect against man-in-the-middle attacks
- Prevent eavesdropping and tampering of the communication
Unfortunately, the protocol was sound but a man-in-the-middle attack was possible by SSL stripping. In SSL stripping, an attacker forces the browser to connect to a website using HTTP to modify and intercept the communication.
As you must have guessed, the problem doesn’t lie with the HTTPS protocol but the way it is configured, allowing the websites to accept HTTP connections too.
HSTS to the rescue 🎉
HTTP Strict Transport Security (HSTS) is a mechanism that allows web servers to declare that web browsers should automatically interact with it using only HTTPS connections
How does it work?
When you enter a URL in the web browser, you skip the protocol part. For example, when you type www.secopsolution.com in such a case, the browser assumes that you want to use the HTTP protocol so it makes an HTTP request to www.secopsolution.com.
At this stage, the webserver replies with a redirect (301 response code) that points to the HTTPS site. The browser makes an HTTPS connection to www.secopsolution.com. This is when the HSTS security policy protection begins using an HTTPS response header:
The Strict-Transport-Security header (we’ll talk about configuring this header in the next article) gives instructions to the browser to connect using HTTPS only for the duration of one year (31536000 seconds).
It serves two purposes :
- HTTP connections are not allowed at all. If the browser receives a request to load a resource using HTTP, it must try an HTTPS request instead.
- If HTTPS is not available, the connection must be terminated. If the certificate is not valid, you will be prevented from making a connection.
Is HSTS the ultimate security protocol?
Nooo! Welcome to the world of security, nothing is 100% secured (winks at Blockchain!).
The first time that you access the website on an HTTP protocol, you are not protected by HSTS because the browser waits for the initial redirect response and only then accepts the HSTS header from the webserver.
You should also know that the HSTS max-age is refreshed every time your browser reads the header and the maximum value is two years only.
But there is a way to overcome these hurdles. In the next article, we talk about how to configure HSTS for your website and workaround for the above issues.