HTTP Strict Transport Security (HSTS)
I recently blogged about Firesheep, the Firefox extension that can be used to compromise a secure connection to a website that you have connected to from an open Wi-Fi hotspot. The truth is the vulnerability that Firesheep exposes is not new, but little was done about it. Not so anymore, help is on the way.
HTTP Strict Transport Security (HSTS) or STS is a new security policy mechanism where a web server tells a supporting browser that it can only connect to it over secure connections (i.e. SSL). HSTS allows web site operators, serious about security, to force secure connections with users that are also serious about security (or lucky enough to have a supporting browser). HSTS is supported in Google Chrome and the Firefox extension NoScript. Firefox 4.0 will also support HSTS when it is released in early 2011.
HSTS is simple for browsers to support. When a browser connects to an HSTS site it finds a new header in an HTTPS (i.e. secure SSL conection) reply such as:
Strict-Transport-Security: max-age=2592000; includeSubDomains
When the HSTS supported browser sees this, it will remember for the specified period (i.e. “max-age” in seconds) that the current domain can only be contacted over HTTPS. If the user subsequently tries to connect to the site with HTTP only, the browser will default to HTTPS. The “includeSubDomains” extension will enforce the HSTS policy on all pages under the current domain.
Now the onus is on the web site operators to configure their sites to support HSTS. Details can be found in the IETF Internet Draft specification. As more web sites adopt and more browsers support HSTS, the end users browsing experience will become a safer one.