Https-hsts protocol (forcing clients to create connections with the server using HTTPS)

HSTS (HTTP Strict Transport Security) Internet Engineering Organization Iete is implementing a new Web security protocol

The role of HSTs is to force clients, such as browsers, to create connections with the server using HTTPS. In fact HSTs's biggest role is to prevent 302 HTTP hijacking (middleman). The disadvantage of HSTs is that the browser support rate is not high, and HTTPS is difficult to downgrade to HTTP in real time after configuring HSTs.

Websites that use the HSTs protocol will ensure that the browser always connects to the HTTPS encrypted version of the site, without requiring the user to manually enter the encrypted address in the URL address bar. This protocol will help the site to use global encryption, the user sees is the security version of the site.

The role of HSTs is to force clients, such as browsers, to create connections with the server using HTTPS. The server turns on HSTs by including the Strict-transport-security field in the Hypertext Transfer Protocol response header returned by the server when the client makes a request over HTTPS. The HSTs field set for non-encrypted transmissions is not valid.

For example, Https://xxx's response head contains strict-transport-security:max-age=31536000; Includesubdomains. This means two points:

In the next year (that is, 31.536 million seconds), the browser must use HTTPS to initiate the connection as long as it sends an HTTP request to XXX or its sub-domain. For example, if a user clicks a hyperlink or enters http://xxx/in the address bar, the browser should automatically convert HTTP to HTTPS, and then send the request directly to https://xxx/.

In the following year, if the TLS certificate sent by the XXX server is invalid, the user cannot ignore the browser warning to continue to visit the site.

Role

HSTs can be used to protect against SSL stripping attacks. The SSL Peel attack is a kind of man-in-the-middle attack, invented by Moxie Marlinspike in 2009. He made this attack public in a speech at the Black Hat conference, titled "New Tricks for defeating SSL in practice". SSL stripping is implemented by preventing the browser from creating an HTTPS connection with the server. It is based on the premise that users rarely enter the https://directly in the address bar, users always click on the link or 3xx redirect, from the HTTP page to enter the HTTPS page. Therefore, an attacker can replace all https://at the beginning of http://For the purpose of blocking HTTPS when the user accesses the page.

The hsts can largely resolve the SSL Peel attack because the browser enforces https after the browser has created a secure connection with the server, even if the link is replaced with HTTP.

In addition, if the middleman uses their own self-signed certificate to attack, the browser will give a warning, but many users will ignore the warning. HSTs solves this problem, and once the server sends the HSTs field, the user will no longer be allowed to ignore the warning.

Insufficient

The first time a user visits a website is not protected by hsts. This is because the browser has not received hsts on the first visit, so it is still possible to access it through clear text http. Solve this problem there are two options, one is the browser preset hsts domain Name list, Google Chrome, Firefox, Internet Explorer and Spartan implementation of this scenario. The second is to add hsts information to the domain Name System record. However, this requires the security of DNS, which requires the deployment of domain Name System security extensions. As of 2014, the programme had not been deployed on a large scale.

Because HSTs will expire after a certain amount of time (the validity period is specified by Max-age), whether the browser enforces the HSTs policy depends on the current system time. Some operating systems often update the system time through a network time protocol, such as when Ubuntu connects to the network every 9 minutes, OS X automatically connects to the time server. An attacker could bypass hsts by falsifying NTP information and setting the wrong time. The workaround is to authenticate NTP information, or disable NTP from significantly increasing or decreasing the time. For example, Windows 8 updates the time every 7 days and requires that each NTP set time and current time not exceed 15 hours.

Https-hsts protocol (forcing clients to create connections with the server using HTTPS)