HTTP Strict Transport Security

524 views

Published on

HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL[1]). HSTS is an IETF standards track protocol and is specified in RFC 6797.

The HSTS Policy[2] is communicated by the server to the user agent via a HTTP response header field named "Strict-Transport-Security". HSTS Policy specifies a period of time during which the user agent shall access the server in only secure fashion.

Description source: Wikipedia

Published in: Software
1 Comment
1 Like
Statistics
Notes
No Downloads
Views
Total views
524
On SlideShare
0
From Embeds
0
Number of Embeds
12
Actions
Shares
0
Downloads
13
Comments
1
Likes
1
Embeds 0
No embeds

No notes for slide

HTTP Strict Transport Security

  1. 1. HSTS Abraham Martin (@abraham_martinc) University of Cambridge
  2. 2. HTTP Strict Transport Security RFC 6797 November 2012
  3. 3. Browser Bank web server http://bank.com …<a href=“https://bank.com/login.html”>… https://bank.com/login.html” Cookies! (Session) HTTP HTTPS
  4. 4. Browser Man in the middle http://bank.com …<a href=“https://benk.com/login.html”>… https://benk.com/login.html” Certificate is valid!… …for benk.com Also, an attacker could get the cookies/session HTTP HTTPS
  5. 5. You could think… Ok, I’m secure because I have my web server configured to redirect all http calls to https.
  6. 6. Browser http://bank.com HTTP 302 Redirect to https://bank.com https://bank.com/ HTTP HTTPS Bank web server
  7. 7. Configuring your web server to always redirect to HTTPS does NOT solves the problem
  8. 8. Browser Man in the middle http://bank.com HTTP 302 Redirect to https://benk.com https://benk.com/ Certificate is valid!… …for benk.com HTTP HTTPS
  9. 9. HTTP Strict Transport Security to the rescue
  10. 10. Browser http://bank.com …<a href=“https://bank.com/login.html”>… https://bank.com/login.html” Header: Strict-Transport-Security Browser saves this sites as STS HTTP HTTPS Bank web server
  11. 11. Browser http://bank.com HTTP 302 Redirect to https://bank.com https://bank.com/ HTTP HTTPSHeader: Strict-Transport-Security Browser saves this sites as STS Bank web server
  12. 12. Next time the user writes in their browser http://bank.com or bank.com
  13. 13. Browser http://bank.com https://bank.com Impossible man in the middle attack HTTP HTTPS Bank web server
  14. 14. Header always set Strict-Transport-Security "max- age=63072000; includeSubDomains"
  15. 15. http://caniuse.com/

×