
Using only HTTPS isn’t enough for your website. Here’s how you can level up your website’s security.
In this article, you will learn know what is HSTS certificate, how to implement HSTS and a step-by-step guide know on how HSTS stops SSL stripping attacks.
Gone are the days when only an https:// connection was enough to secure your website and provide confidence in your security to your customers. Today, hackers have found vulnerabilities in SSL connections, such as the infamous 301 redirect that lets them destroy the safety of an SSL connection.
This may make you feel unsafe the next time you try banking online, but fortunately, we have invented a solution. HSTS connections are even more secure than basic HTTP connections for several reasons. Before we dive deeper into this topic, we’ll go over the basics of how standard HTTPS kept you secure.
Encryption: A Brief Rundown
When you want to keep your information private on the internet, using a secret code can boost your chances of preventing third parties from reading it. This can be done using encryption which completely scrambles your message to prevent both humans and machines from being able to make sense of it.
When your message reaches the destination, the receiver can use a key to unscramble it in a process known as decryption. Currently, encryption is done in two ways – symmetric and asymmetric.[1]
| Symmetric Encryption | Asymmetric Encryption |
| Symmetric Encryption uses a single key for encryption and decryption. This key is shared over an unsecured network. | Asymmetric Encryption uses separate key pairs of encrypting keys(public keys) and decrypting keys(private keys) for both parties. The private keys are never shared. |
| It is faster but less secure. | It Is extremely secure but quite slow. |
As you can see, symmetric encryption has one obvious vulnerability, which lets an attacker intercept the key before the connection is encrypted. While not so obvious, asymmetric encryption can also be quite vulnerable to interception. While the attacker may not be able to access the private key, they can get access to the public key in this case.
Using the public key, the attacker would be able to encrypt malicious code and send it to the client, making it seem like it came from the server. This could include anything from spyware to ransomware. Fortunately, there is a way to determine the authenticity of each communication carried out over a secured network.
The Secure Socket Layer (SSL) and Certificates
The SSL protocol allows each client and server connection to verify the security of the connection before communication begins. This is carried out in a process known as the SSL handshake. The handshake also uses certificates that show the authenticity of each communication coming from the server.
These certificates are encrypted using a secret key and can only be decrypted using the pair key, which is shared during the handshake. If the client fails to decrypt the certificate, it proves that the message is not genuine and has come from an attacker.
While the workings of certificates and encryption algorithms are certainly more complex than this, for now, you can keep in mind that they both work together to secure a connection. If a website uses SSL[2] or its advanced version known as TLS (Transport Layer Security), it will have the https:// in front of its URL after the handshake has been established.
The Vulnerability
The vulnerability this system presents isn’t very complicated. To put it simply, websites need time to establish an SSL handshake, and during that brief period, they connect to their clients using an http:// connection. This leaves the connection vulnerable to attacks. Exploits of this vulnerability include sending phishing login pages to the client by redirection or even stripping an SSL connection while leaving the connection unsecured and unencrypted.
What is HSTS certificate & How HSTS Fixes This
HSTS stands for HTTP Strict Transport Security, and it isn’t a new technology. In fact, it was invented back in 2012 but has taken this long to be fully implemented. This is a policy that prevents websites from accepting any HTTP connections at all, thereby directly connecting with their clients using HTTPS.
In general, browsers try to connect to websites using HTTP; however, this gets changed thanks to HSTS, which sends instructions to browsers to strictly adhere to HTTPS connections only. While this still leaves you vulnerable the first time you connect to the website, it can be delivered via HTTPS to ensure maximum security.
How to Implement HSTS?
Implementing HSTS requires an SSL certificate. In the case of several subdomains on your website, you would need a Wildcard Certificate, but in other cases, just about any SSL certificate[3] would work.
Once you have the certificate, you can implement HSTS with the following code:
1. For Apache Web Server
# Use HTTP Strict Transport Security to force client to use secure connections only Header always set Strict-Transport-Security “max-age=300; includeSubDomains; preload”
2. For lighttpd
server.modules += ( “mod_setenv” ) $HTTP[“scheme”] == “https” { setenv.add-response-header = (“Strict-Transport-Security” => “max-age=300; includeSubDomains; preload”) }
3. For NGINX
add_header Strict-Transport-Security ‘max-age=300; includeSubDomains; preload; always;’
4. For IIS Servers
protected void Application_BeginRequest(Object sender, EventArgs e) { switch (Request.Url.Scheme) { case “https”: Response.AddHeader(“Strict-Transport-Security”, “max-age=31536000; includeSubDomains; preload”); break; case “http”: var path = “https://” + Request.Url.Host + Request.Url.PathAndQuery; Response.Status = “301 Moved Permanently”; Response.AddHeader(“Location”, path); break; } }
Final Thoughts of What is HSTS
While it has been in use for over a decade, now HSTS has become a necessity for making the World Wide Web a more secure place. Implement it on your website today for maximum security for your users.
The post What is HSTS Certificate: How It Stops SSL Stripping Attacks[4] appeared first on CheapSSLWeb.com Resources[5].
*** This is a Security Bloggers Network syndicated blog from CheapSSLWeb.com Resources[6] authored by CheapSSLWeb.com Resources[7]. Read the original post at: https://cheapsslweb.com/resources/what-is-hsts-certificate/[8]
References
- ^ symmetric and asymmetric. (cheapsslweb.com)
- ^ website uses SSL (cheapsslweb.com)
- ^ SSL certificate (cheapsslweb.com)
- ^ What is HSTS Certificate: How It Stops SSL Stripping Attacks (cheapsslweb.com)
- ^ CheapSSLWeb.com Resources (cheapsslweb.com)
- ^ CheapSSLWeb.com Resources (cheapsslweb.com)
- ^ Read other posts by CheapSSLWeb.com Resources (securityboulevard.com)
- ^ https://cheapsslweb.com/resources/what-is-hsts-certificate/ (cheapsslweb.com)