Should the Strict-Transport-Security max-age be tied to the duration of the certificate?

Question

I understand the principle of HSTS, and the fact that the choice of max-age limits how long a visitor could potentially be locked out if the site somehow lost its certificate and had to go back to HTTP-only for a while. When setting up HSTS, most sources recommend rather long max-age values -- on the order of 180 to 365 days. Some "SSL test" websites (Qualys, ImmuniWeb...) even go as far as to issue warnings about HSTS max-age being set to a value below 180 days.

Separately, while most paid certificates are issued for one year, certificates from LetsEncrypt are only valid for 90 days. Which leads me to my question: Is there any reason why the HSTS max-age should be set to match the certificate's validity period? (i.e. 90 day max-age for a 90 day LetsEncrypt certificate, and 365 days for a one-year ExpensiveCA certificate.)

Answer 1

It's two separate things. LetsEncrypt set their certificates to be short-lived because they expect their users to constantly renew them, short-lived certificates limit the exposure time of a lost private key.

Paid certificates are usually issued manually, and hence live a bit longer, for practical reasons (much harder to issue certs every 90 days when somebody has to click buttons and fill out forms).

HSTS on the other hand, was built to ensure that the browser 'remembers' the status of the site, and use HTTPs when accessing it. This has obvious security benefits, but also has a slight performance improvement as well -- the browser will itself perform a 307 redirect and not even attempt a plain-http requests. This saves the user one entire round-trip to the site.

However, the main benefit is obviously security. Once a user visits your legitimate site, and gets their HSTS set -- it's much harder for attackers to spoof your website against their browser, because now the spoofed sites needs a valid cert!

In short, you want to set your HSTS to be as long as possible to enjoy the security and performance benefits -- while you'll like to set your TLS certs to live as short as possible to reduce the threat of a lost key.

Given that, setting the HSTS to equal the max-age of your cert makes no sense at all. After all, even if your cert was set to 90 days, a client visiting your site on day 81, would have their HSTS set to 90 days -- even though your cert would expire 9 days later (hopefully you'll be renewing shortly!)

I understand some concern from folks around, "what would happen if I can't serve https anymore". This was my worry 5-6 years ago, when we started using HSTS, but now this is a very very small issue.

LetsEncrypt is totally free, and all webservers are very easily configurable for it. If you had a catastrophic failure on your website, the amount of time rebuilding it would be much larger than the small incremental step of adding https. If all else fails -- you can always just use Cloudflare or any other CDN to give you https as well.