Understand HSTS certificate and learn how to level up your website’s security using HTTP Strict Transport Security (HSTS)
In this article, you will learn know what is HSTS certificate, how to implement HSTS and a step-by-step guide know on how HSTS stops SSL stripping attacks.
Gone are the days when only an https:// connection was enough to secure your website and provide confidence in your security to your customers. Today, hackers have found vulnerabilities in SSL connections, such as the infamous 301 redirect that lets them destroy the safety of an SSL connection.
This may make you feel unsafe the next time you try banking online, but fortunately, we have invented a solution. HSTS connections are even more secure than basic HTTP connections for several reasons. Before we dive deeper into this topic, we’ll go over the basics of how standard HTTPS kept you secure.
What is HSTS Certificate Encryption?
When you want to keep your information private on the internet, using a secret code can boost your chances of preventing third parties from reading it. This can be done using encryption which completely scrambles your message to prevent both humans and machines from being able to make sense of it.
When your message reaches the destination, the receiver can use a key to unscramble it in a process known as decryption. Currently, encryption is done in two ways – symmetric vs asymmetric encryption.
As you can see, symmetric encryption has one obvious vulnerability, which lets an attacker intercept the key before the connection is encrypted. While not so obvious, asymmetric encryption can also be quite vulnerable to interception. While the attacker may not be able to access the private key, they can get access to the public key in this case.
Using the public key, the attacker would be able to encrypt malicious code and send it to the client, making it seem like it came from the server. This could include anything from spyware to ransomware. Fortunately, there is a way to determine the authenticity of each communication carried out over a secured network.
HSTS Vs. SSL Certificate
The SSL protocol allows each client and server connection to verify the security of the connection before communication begins. This is carried out in a process known as the SSL handshake. The handshake also uses certificates that show the authenticity of each communication coming from the server.
These certificates are encrypted using a secret key and can only be decrypted using the pair key, which is shared during the handshake. If the client fails to decrypt the certificate, it proves that the message is not genuine and has come from an attacker.
While the workings of certificates and encryption algorithms are certainly more complex than this, for now, you can keep in mind that they both work together to secure a connection. If a website uses SSL Certificate or its advanced version known as TLS (Transport Layer Security), it will have the https:// in front of its URL after the handshake has been established.
The Vulnerability
The vulnerability this system presents isn’t very complicated. To put it simply, websites need time to establish an SSL handshake, and during that brief period, they connect to their clients using an http:// connection. This leaves the connection vulnerable to attacks. Exploits of this vulnerability include sending phishing login pages to the client by redirection or even stripping an SSL connection while leaving the connection unsecured and unencrypted.
How to Fix HSTS Error in Chrome?
HSTS stands for HTTP Strict Transport Security, and it isn’t a new technology. In fact, it was invented back in 2012 but has taken this long to be fully implemented. This is a policy that prevents websites from accepting any HTTP connections at all, thereby directly connecting with their clients using HTTPS.
In general, browsers try to connect to websites using HTTP; however, this gets changed thanks to HSTS, which sends instructions to browsers to strictly adhere to HTTPS connections only. While this still leaves you vulnerable the first time you connect to the website, it can be delivered via HTTPS to ensure maximum security.
How to Implement HSTS or Http Strict Transport Security in a Website?
Implementing HSTS requires an SSL certificate. In the case of several subdomains on your website, you would need a Wildcard Certificate, but in other cases, just about any SSL certificate would work.
Once you have the certificate, you can implement HSTS with the following code:
1. For Apache Web Server
Use HTTP Strict Transport Security to force client to use secure connections only Header always set Strict-Transport-Security “max-age=300; includeSubDomains; preload”
2. For lighttpd
server.modules += ( "mod_setenv" ) $HTTP["scheme"] == "https" { setenv.add-response-header = ("Strict-Transport-Security" => "max-age=300; includeSubDomains; preload") }
3. For NGINX
add_header Strict-Transport-Security 'max-age=300; includeSubDomains; preload; always;'
4. For IIS Servers
protected void Application_BeginRequest(Object sender, EventArgs e) { switch (Request.Url.Scheme) { case "https": Response.AddHeader("Strict-Transport-Security", "max-age=31536000; includeSubDomains; preload"); break; case "http": var path = "https://" + Request.Url.Host + Request.Url.PathAndQuery; Response.Status = "301 Moved Permanently"; Response.AddHeader("Location", path); break; } }
Final Thoughts
While it has been in use for over a decade, now HSTS has become a necessity for making the World Wide Web a more secure place. Implement it on your website today for maximum security for your users.
Top comments (1)
What an informative post on HSTS certificates and how to enable them! HSTS (HTTP Strict Transport Security) is crucial for enhancing website security and protecting users from potential threats. This step-by-step guide on enabling HSTS certificates for various servers is very helpful and easy to follow. It's reassuring to know that HSTS ensures all communication with the website is encrypted, reducing the risk of man-in-the-middle attacks. Thank you for sharing this valuable knowledge!