32

Is HSTS good to use even if my servers are configured to use HTTPS (when HTTP is used, the rewrite rules in Apache turns it into HTTPS)?

Also should HSTS be used even on resources like CSS and images, or just when the content type is text/html?

Anders
  • 64,406
  • 24
  • 178
  • 215
Novice User
  • 2,088
  • 7
  • 26
  • 38

2 Answers2

22

Yes, strict transport security provides a real benefit.

HSTS tells the browser to only communicate with the server via HTTPS. The first time the browser sees the HSTS header from the server, it remembers it. When the user visits the site again, the browser enforces that all communication is done via HTTPS. This will work as long as the attacker doesn't strip the header on the first visit to the site.

This prevents SSL-stripping attacks, a form of man-in-the-middle attack which presents the user with a clear-text resource instead of the SSL one. Normally, the user would not be alerted, and most "average" users wouldn't spot that the SSL padlock or green/blue highlight isn't shown in the URL bar. In the case of HSTS, the browser would immediately warn the user that the browser is attempting to violate its own security policy.

  1. Client creates a clear-text connection to the server.
  2. Server responds with a redirect to the HTTPS address, with the HSTS header set.
  3. Client and server communicate over SSL.
  4. Session ends.
  5. Client comes back later, browser has stored the HSTS flag for this domain.
  6. Attacker attempts to perform SSL-strip attack, and serves clear-text to the client.
  7. Client recognises that the HSTS policy disallows this, and alerts the user.

For further security, some are proposing that HSTS be implemented as an option in DNSSEC, so that the HSTS header is set as part of the DNS lookup. Since DNSSEC provides strong security through pre-distributed authority certificates, this would make it exceedingly difficult for an attacker to defeat the HSTS mechanism, even if they are actively attempting to SSL-strip on the first visit to the site.

Polynomial
  • 132,208
  • 43
  • 298
  • 379
  • 3
    if my webserver only goes for HTTPS then how MiTM possible ? – Novice User Jul 16 '12 at 16:05
  • 4
    @NoviceUser An attacker can use a variety of techniques (e.g. poison routing) to hijack the TCP connection, then pretend to be the server. He can't pretend to be the server in SSL mode, because he would need the server's private key, so he sends a downgrade header that causes the browser to switch back to HTTP. The browser then talks to the attacker in plaintext, and the attacker talks to the server via SSL, as if it were a legitimate client. The client doesn't see the "secure" padlock on their browser, but most people don't notice. – Polynomial Jul 16 '12 at 16:09
  • @Polynomial this assumes though that the MiTM isn't in the middle during the initial connection that returns the header. If so then the attacker could just strip the header and the browser would never see it. – Steve Jul 16 '12 at 19:07
  • @SteveS I covered that. Last sentence of the first paragraph: *"This will work as long as the attacker doesn't strip the header on the first visit to the site."*, and the latter part of the last sentence: *"this would make it exceedingly difficult for an attacker to defeat the HSTS mechanism, even if they are actively attempting to SSL-strip on the first visit to the site."* – Polynomial Jul 16 '12 at 19:21
  • @Polynomial oops. So you did. Sorry. :) – Steve Jul 16 '12 at 21:45
  • @Polynomial, I'm worried about "the browser enforces that all communication is done via HTTPS". If my site requests resources from the CDN which is different domain, will the browser still enforce them to be served via http. What if cdn is not configured for https? – Olena Horal Dec 28 '16 at 15:39
  • 1
    @OlenaHoral HSTS adheres to the same-origin policy when setting the directive, so it will only affect the current domain. – Polynomial Dec 28 '16 at 22:43
16

Yes, if you are using SSL sitewide, then I definitely recommend enabling HSTS.

HSTS is an important security measure to defeat man-in-the-middle attacks that shift the user over to http and then attack the user. For instance, sslstrip is a well-known tool to mount such an attack. For more details on this sort of attack, see the following questions: How to thwart sslstrip attack?, Options when defending against SSLstrip?, and this answer.

HSTS tells the browser: never use HTTP with this site. Only access it via HTTPS. So, to enable HSTS, you must make sure that your site works with HTTPS, and only HTTPS. This includes everything: HTML, CSS, Javascript, everything. Make sure all of the CSS and Javascript on your site is available over HTTPS. Also, I suggest that you convert your pages to reference everything over HTTPS (I recommend your pages avoid loading any other Javascript or CSS resource over HTTP, as that may cause warnings or security problems for some browsers).

For instance, let's say your site is www.example.com and you have a page https://www.example.com/buy.html which includes some Javascript from your site. You must make sure you your Javascript file is available on a HTTPS URL (e.g., https://www.example.com/library.js). I recommend that you load it via a HTTPS URL (e.g., <SCRIPT SRC="https://www.example.com/library.js">).

P.S. I also recommend that you set the secure flag on all cookies you use.

D.W.
  • 98,420
  • 30
  • 267
  • 572