Recent news stories report that Google has enabled HSTS on its Google.com domain. While this has been in use on a number of services provided by Google, the complexity of the use for the main domain throughout all of the various services that Google provides makes the deployment of HSTS quite slow.
HTTP Strict Transport Security
HSTS stands for HTTP Strict Transport Security, and this is used to inform a visitor’s web browser that your website requires HTTPS connections. This means that users won’t be able to connect using plain HTTP connections, and will also prevent connections if there are any mismatches with the server’s SSL certificate, something that can be seen with Man-In-The-Middle attacks.
How Does It Work?
The web server (that the browser connects to) will return a header in each web page served over HTTPS before allowing HTTP connections. The header states that HSTS is in use and the amount of time specified before the browser should begin restricting anything that is not HTTPS. The browser will then, until the time that HSTS is enforced for runs out, convert all URLs to that domain to HTTPS, and ensure that the server’s certificates are trusted before displaying any pages. The important step here is that the browser makes the connection use HTTPS. Without HSTS, if the user simply typed in “google.com” to the address bar of their browser, then the browser would connect first using HTTP, and the server may respond stating that it uses HTTPS, but in the event of a Man-In-The-Middle attack or similar, that information may never make it back to the web browser. This means that insecure communications may take place between the browser and the attacker while the attacker may be forwarding traffic securely to the server, enabling the attacker to see all the communications between browser and server. This is not so much of a problem for casual browsing, but if you are entering a username and password the attacker has just gained some very useful information.
Cutting Out The Middle Man
The benefits to your users of having HTTPS enabled are clear and well understood. HSTS extends HTTPS to bring further benefits to your end users, and as such is recommended to be implemented for any website that uses HTTPS. Implementation is normally done through your web server software by configuring it to return HSTS headers to the connecting web browsers, and enforcing redirection from HTTP connections to HTTPS for any initial connections made by browsers.
End Note: Is It The Death of Flash?
In other browser-related news this month sees Firefox starting to block content using the Flash plugin from rendering in its browser. Initially, this is going to be blocking content that Mozilla views as invisible to the person browsing or code that is easily replicable in HTML, though the end game is to reach a point whereby in 2017 all users would have to click to activate the Flash plugin whenever it is used. With Google having declared an intention to follow suit in the future with the Chrome browser, then we may be finally looking at the death knell for Flash. The reasons for this is that Flash has been a major target of attacks by hackers and a source of numerous vulnerabilities over the years, with 52 squashed in July alone. If your website still makes use of Flash technologies then it’s probably a good time to start investigating a move towards replacing it.