What is HSTS and how do I activate it?

Internet security is becoming increasingly important due to growing connectivity - at the same time, the execution of attacks is becoming more complex and sophisticated. The encryption of websites and communication via the secure Secure Socket Layer (SSL) or its successor Transport Layer Security (TLS) is now considered an essential standard, but does not protect against all threats. To secure it against further attacks, there is the extension HTTP Strict Transport Security (HSTS), which excludes some of the established cyber attacks.

Contents:

How does encryption work on the Internet?
HSTS - How does it work?
What does an HSTS Preload mean?
What types of attacks does HSTS prevent?
What are the advantages and disadvantages of HSTS?
How to enable HSTS on a web hosting?

How does encryption work on the Internet?

A secure encryption requires that the key used in an exchange between the two parties cannot be stolen, altered, or read by third parties. The 2018 standard TLS 1.3 as the latest version of SSL ensures this by using the secure Diffie-Hellman-Merkle key exchange (DHM protocol). This initially uses asymmetric cryptography for key exchange, which is readable only on one side, and then switches to a symmetric, mutually used, and unique session key for that session. The security of the certificates ensures authentication by officially recognised, trusted Certificate Authorities (CA) like Let's Encrypt, Comodo, or DigiCert, which guarantee both the identity of the owner and the validity of encryption, signing them.

Since 2010, several major IT companies have supported the complete encryption of all connections, as originally under the Hypertext Transfer Protocol (HTTP), even highly sensitive information such as passwords or bank details were transmitted in clear text. Since 2014, encryption via SSL has been considered an important factor for ranking in search engines and must therefore be used for Search Engine Optimization (SEO). However, older protocols such as SSL 1.0 to SSL 3.0 and the first two versions of TLS have several security vulnerabilities that have been discovered later, allowing an attacker to position themselves between the client and a website in an early stage. To efficiently defend against these and other threats, the Internet Engineering Task Force (IETF) published the new standard HSTS in 2012.

HSTS - How Does It Work?

HSTS is a procedure designed to ensure a direct connection between the provider - whether it's web hosting, a Virtual or Dedicated Server, or a Cloud. For this purpose, it uses an additional header in the HTTPS protocol that strictly instructs the client to use only SSL or TLS encryption from the first request onwards. Its implementation results in the following conditions:

• Every connection over HTTP is automatically redirected to HTTPS
• If security is not guaranteed, the communication is terminated
• Upon the first request, the client receives the HSTS directives
• The browser stores all information for a specified period
• Encryption is mandatory for the period specified by HSTS
• If encryption fails, there is no fallback to an insecure standard or unencrypted communication

Specifically, HSTS consists of a simple instruction in the header with the directive to consistently use the standard from the first request. This involves specifying:

Strict-Transport-Security: max-age=Time in seconds

A typical period, for example, consists of 3153600 seconds, which equates to a full calendar year. Additionally, it is possible to supplement the HSTS header with further optional directives. These are separated by a semicolon and mainly consist of the additional directives includeSubDomain for additional subpages like test.example.org, as well as the preload extension, which mandates the use of HTTPS from the first visit.

What does HSTS Preload mean?

A fundamental issue arises because HSTS only becomes valid and binding in its operation after the initial visit to a website. To circumvent this, operators can register on a list provided by the Google Chromium Project (https://hstspreload.org/), which modern browsers such as Chrome, Apple Safari, Microsoft Edge, or Opera regularly access. If a web address is listed there, the HSTS directive takes effect even with a single visit. Registration is generally open to any website owner, but includes some conditions:

• A valid SSL certificate signed by a recognised CA
• A minimum duration (max-age) of at least 31536000 seconds (1 year)
• The options includeSubDomains and preload in the HSTS header
• HTTPS must be available for all subdomains mentioned in a DNS record
• Redirect from HTTP to HTTPS on the same host

Due to increased security, almost all major platforms and corporations, including Google, Facebook, PayPal, Twitter, and internationally operating banks and financial service providers, generally implement HSTS.

What types of attacks does HSTS prevent?

The IETF developed HSTS as a direct response to the publication of security vulnerabilities in the HTTPS protocol in 2009. These attacks, carried out purely for demonstration purposes by a Man-in-the-Middle, involve a third party inserting themselves between the client and server, acting as a node for communication that remains invisible to the naked eye. It uses legitimate encryption towards the web server, but establishes its own connection to the client, deceptively presenting a secure, uninterrupted access. With this approach, a criminal can intercept and modify all communication without the victim or their counterpart noticing without an in-depth analysis of the traffic.

Through its strict guidelines, HSTS also prevents further scenarios, some of which have been known for a long time and some of which are newly developed. One of these is an externally enforced fallback to an SSL encryption that is now considered insecure, which browsers and webservers continue to support to enable broad compatibility with older systems. A second variant is the "hijacking" of sessions (Session Hijacking), where a third party takes over a client's identity and sends packets on their behalf using data for identification such as a session number, which the webserver interprets as legitimate due to authentication already being completed.

What are the advantages and disadvantages of HSTS?

Basically, HSTS expands on the security rules commonly used under HTTPS and mandates strict adherence to existing directives for the client. This prevents the possibility of compromising security later by reverting to older and already compromised encryption or temporarily suspending encryption. This results in various advantages:

• Guaranteed implementation of security measures anchored in the current HTTPS standard
• No possibility of "accidentally" using unencrypted connections
• Data interception before encryption begins is no longer feasible
• Low additional overhead and no impact on performance
• Data security ensured over a long period of one year or more
• No connection allowed via unencrypted HTTP protocol
• No functionality restrictions due to different CMS like WordPress or Joomla

In contrast, the disadvantages are relatively low. After initial setup and registration in the Google Chromium Preload list, HSTS does not have a negative impact on everyday use and does not lead to increased resource consumption. However, there is a certain limitation in access possibilities, as outdated devices, operating systems, or software may not meet the requirements set by HSTS. There are also alternatives that, for example, enforce the use of HTTPS for every visitor or redirect directly to it.

How to enable HSTS on a web hosting?

To implement HSTS on a web hosting or any server, it is technically sufficient to create a corresponding entry in the HTTP header. For the Apache 2 Web Server, the Headers module must be enabled, which can be done, for example, on a virtual or dedicated server via SSH using the commands

sudo a2enmod headers

for activation and

sudo service apache restart

for a restart. Finally, the operator can firmly implement HSTS by adding the line

Header always set Strict-Transport-Security "max-age=4838400; includeSubdomains;"

to the global httpd.conf. If it is a web hosting service that only allows access to the local configuration of the so-called Virtual Hosts, this can also be done by inserting it into the corresponding section for the HTTPS protocol under Port 443. Another option, suitable for users without SSH access, is to create a .htaccess file with the corresponding entry. However, this negatively impacts performance.

For the equally popular NGINX web server, the process is similar, with the line

add_header Strict-Transport-Security "max-age=4838400; includeSubDomains";

being inserted either into the global configuration or the local server block.##

The Microsoft IIS web server, like some Plesk hosting providers or administration tools, allows for the activation of HSTS directly through the graphical interface. With other tools like Webmin or DirectAdmin, users, on the other hand, need to manually insert the line via the internal configuration file editor and activate the changes through the corresponding button. Possible alternatives include plugins for CMS such as WordPress, TYPO3, or Joomla, which activate the header and add it to each request.

Photo: skylarvision on Pixabay