HTTP Strict Transport Security (HSTS)

Bruce Morton

I recently blogged about Firesheep, the Firefox extension that can be used to compromise a secure connection to a website that you have connected to from an open Wi-Fi hotspot. The truth is the vulnerability that Firesheep exposes is not new, but little was done about it. Not so anymore, help is on the way.

HTTP Strict Transport Security (HSTS) or STS is a new security policy mechanism where a web server tells a supporting browser that it can only connect to it over secure connections (i.e. SSL). HSTS allows web site operators, serious about security, to force secure connections with users that are also serious about security (or lucky enough to have a supporting browser). HSTS is supported in Google Chrome and the Firefox extension NoScript. Firefox 4.0 will also support HSTS when it is released in early 2011.

HSTS is simple for browsers to support. When a browser connects to an HSTS site it finds a new header in an HTTPS (i.e. secure SSL conection) reply such as:

Strict-Transport-Security: max-age=2592000; includeSubDomains

When the HSTS supported browser sees this, it will remember for the specified period (i.e. “max-age” in seconds) that the current domain can only be contacted over HTTPS. If the user subsequently tries to connect to the site with HTTP only, the browser will default to HTTPS. The “includeSubDomains” extension will enforce the HSTS policy on all pages under the current domain.

Now the onus is on the web site operators to configure their sites to support HSTS. Details can be found in the IETF Internet Draft specification. As more web sites adopt and more browsers support HSTS, the end users browsing experience will become a safer one.

Bruce Morton
Bruce Morton
Director, Certificate Technology & Standards

Bruce Morton has worked in the public key infrastructure and digital certificate industry for more than 15 years and has focused on SSL and other publicly trusted certificates since 2005. He has been an active member of the CA/Browser Forum that released guidelines for extended validation (EV) certificates and Baseline Requirements for SSL certificates. Bruce oversees the governance and compliance of Entrust’s publicly trusted PKI.

1 Comment

Add to the Conversation