Secure Your Site with HSTS

I'm pretty sure by now that almost everyone has heard of the NSA saga, I even heard my non-techie friends tell me how 'bad things have become on the internet' the NSA story broke out.

Considering how powerful the NSA is, they can pretty much mess around with you as they please, or can they?

We dont have to make things easier for them or Cybercriminals. The Snowden leaks have helped make the internet a 'safer' place than it was before, with various tech giants starting to introduce security by default (think HTTPS for example).

Before going further. Let's just take a moment to ridicule all those people who still use HTTP on their 'e-commerce' sites (if there are any – insert ridicule here ###@&&!!).

Also, those who implement HTTPS in an insecure manner (if there are any – insert another ridicule here ###@&&!!). This also includes those who assume to be safe since they Post/Load the login page over HTTPS while the rest of the site is HTTP.

One of the security guys I look up to, Troy Hunt , has some wonderful posts to help you sort out this mess.

Most sites (for example, online banking sites) redirect users to HTTPS even though the user used HTTP in the browser to connect to a service.

This is a great thing that these companies are doing by including security and privacy by default, as many users wouldn't know the difference.

But, using some hacker tools, the Transport Layer Security can be stripped, leaving the user using HTTP instead of HTTPS vulnerable and exposed.

This can be a bad thing for users and companies involved (think banks, e-commerce sites or even good ol' social networking sites).

These tools essentially perform a man-in-the-middle attack, this means - as the name implies - the attackers become the 'middlemen between you and the service you are trying to connect to since you at first tried to connect to the service using HTTP and your browser is issued a redirect to HTTPS.

So, since that part of the communication is via HTTP, these hacker tools can intercept that.

What is the solution to this?

HSTS (HTTP Strict Transport Security).

HSTS is a specification or feature that essentially lets a web site or server tell a user's browser to communicate ONLY via HTTPS.

Not all browsers are compatible with HSTS yet though, here is a list of those that are:

HSTS Compatible Browsers

For any tech start-up enthusiast or tech founders out there, this specification is worthwhile to check out.

Remember that the brand of your company or product isn't just about what you sell or what you say but also how well you look after your users (I'm talking here from a security and privacy standpoint).

Bad company reputation may result if users are compromised while trying to access your service (it may not be your fault but they will surely think it is as they won't even know they have been victims of man-in-the-middle attacks).

So, how do you implement HSTS?

Well, I could try explain it to you myself but I will instead direct you to one of the best and clearest blogs, by Scott Helme, about implementing HSTS.

Have fun!

Cover Image Credit: Aaron Patterson

Comments