What is HSTS?

(HSTS) HTTP Strict Transport Security is a policy mechanism that protects the use of invalid certificates and man-in-the-middle attacks such as protocol downgrades.

SSL and Certificates Overview

SSL is an abbreviation of Secure Socket Layer, and they require certificates to exchange data between the server and clients.

HTTP and man-in-the-middle attack

In an earlier era of HTTP, every website uses HTTP, which means every data or message passing across the globe is unencrypted. Around Y2K, Security is concerned. In Myanmar, 2006-2010, we start using HTTPS. Generally, HTTPS is three times slower than HTTP, but the connection becomes faster, then we do not have to worry about it anymore.

SSL and Certificates

With the rise of SSL, the signing authority becomes essential for validating the transferred data is correct. There are many providers such as DigiCert, Norton and so on. In Myanmar, Yadanarpon Teleport acts as Sign Authority, but no one accepts its certificate as valid and verified until today.

Rise of HTTP Strict Transport Security (HSTS)

HSTS becomes popular, but not among all websites. SSL has its expiry date, and after that duration, the certificate becomes invalid. When a user visits a website with an invalid certificate, the browser warns you that the website is not properly secured. It may be the reason ranging from expired certificate to man-in-the-middle attack on every node from server to your browser. If you want to visit, you need to add an exception to your website.

Exception hell

When you can click the exception as easy as you can, the administrators add invalid certificates to track your activity. They decrypt the website, attach their certificate and encrypt it back to you with their self-signed certificate, like HTTP, and nothing is safe.

HSTS

To protect our users from Exception hell, we sign with HSTS. HSTS declaration requires every directory and subdomains of the domain need to have one or more valid certificates. Certificates need to have the same authority and signed. When a man-in-the-middle attack occurred, or one of the certificates expired, that specific subdomain shows that the certificate is invalid. There is one thing new, no more exception box.

HSTS Requirements

HSTS requires all subdomains and directories to have valid certificates, and SSL is on.

You can check your website is HSTS here.

Conclusion

HTTP Strict Transfer Transport (HSTS) brings us many more benefits (currently). With developments, there will be better security for millions of people around the world.