What is an HSTS certificate? How does it block SSL removal attacks?

Using only HTTPS is not enough for your website. Here’s how you can improve your website’s security.

In this article, you’ll learn what an HSTS certificate is, how to implement HSTS, and a step-by-step guide on how HSTS stops SSL removal attacks.

Gone are the days when only one https:// connection was enough to secure your website and give confidence to your customers. Today, hackers have found vulnerabilities in SSL connections, such as the infamous 301 redirect that allows them to destroy the security of an SSL connection.

It may make you feel insecure the next time you try to do online banking, but luckily we’ve come up with a solution. HSTS connections are even more secure than basic HTTP connections for several reasons. Before we dive deeper into this topic, let’s go over the basics of how standard HTTPS has kept you safe.

Encryption: A Brief Overview

When you want to keep your information private on the Internet, using a passcode can increase your chances of preventing third parties from reading it. This can be done by using encryption that completely scrambles your message to prevent humans and machines from being able to understand it.

When your message reaches the destination, the recipient can use a key to decrypt it in a process known as decryption. Currently, encryption is done in two ways – symmetrical and asymmetrical.

Symmetric encryption Asymmetric encryption
Symmetric encryption uses a single key for encryption and decryption. This key is shared on an unsecured network. Asymmetric encryption uses separate key pairs of encryption keys (public keys) and decryption keys (private keys) for both parties. Private keys are never shared.
It’s faster but less secure. It is extremely secure but quite slow.

As you can see, symmetric encryption has an obvious vulnerability, which allows an attacker to intercept the key before the connection is encrypted. Although not so obvious, asymmetric encryption can also be quite vulnerable to interception. Although the attacker may not be able to access the private key, he can access the public key in this case.

Using the public key, the attacker could encrypt the malicious code and send it to the client, making it look like it came from the server. This can include anything from spyware to ransomware. Fortunately, there is a way to determine the authenticity of every communication made over a secure network.

Secure Socket Layer (SSL) and certificates

The SSL protocol allows each client and server connection to verify the security of the connection before communication begins. This is done in a process known as an SSL handshake. The handshake also uses certificates that show the authenticity of each communication from the server.

These certificates are encrypted using a secret key and can only be decrypted using the key pair, which is shared during the handshake. If the client fails to decrypt the certificate, this proves that the message is not authentic and comes from an attacker.

While the workings of certificates and encryption algorithms are certainly more complex than that, for now you can keep in mind that they both work together to secure a connection. If a the site uses SSL or its advanced version called TLS (Transport Layer Security), it will have the https:// in front of its URL after the handshake is established.

The vulnerability

The vulnerability that this system presents is not very complicated. To put it simply, websites need time to establish an SSL handshake, and during that brief time they connect to their customers using a http:// link. This leaves the connection vulnerable to attack. Exploits for this vulnerability include sending phishing login pages to the client via redirect or even dropping an SSL connection while leaving the connection unsecured and unencrypted.

What is an HSTS certificate and how HSTS fixes it

HSTS stands for HTTP Strict Transport Security, and it’s not a new technology. In fact, it was invented in 2012, but it took all that time to be fully implemented. This is a policy that prevents websites from accepting HTTP connections, thereby connecting directly to their clients over HTTPS.

In general, browsers try to connect to websites using HTTP; however, this is changing thanks to HSTS, which sends instructions to browsers to strictly enforce HTTPS-only connections. While this still leaves you vulnerable the first time you log into the website, it can be delivered over HTTPS to ensure maximum security.

How to implement HSTS?

Implementing HSTS requires an SSL certificate. In the case of multiple subdomains on your website you would need a Wildcard certificate, but in other cases just about any SSL certificate would work.

Once you have the certificate, you can implement HSTS with the following code:

1. For Apache web server

# Use HTTP Strict Transport Security to force the client to use only secure connections. The header still sets Strict-Transport-Security “max-age=300; include subdomains; preload”

2. For lighttpd

server.modules += ( “mod_setenv” ) $HTTP[“scheme”] == “https” { setenv.add-response-header = (“Strict-Transport-Security” => “max-age=300; includeSubDomains; preload”) }

3. For NGINX

add_header Strict-Transport-Security ‘max-age=300; include subdomains; preload; still;’

4. For IIS servers

protected void Application_BeginRequest(Object sender, EventArgs e) { switch (Request.Url.Scheme) { case “https”: Response.AddHeader(“Strict-Transport-Security”, “max-age=31536000; includeSubDomains; preload”); Pause; case “http”: var path = “https://” + Request.Url.Host + Request.Url.PathAndQuery; Response.Status = “301 Moved Permanently”; Response.AddHeader(“Location”, path); Pause; } }

Final thoughts on what HSTS is

Although it has been in use for over a decade, HSTS has become a necessity to make the World Wide Web more secure. Implement it on your website today for maximum security for your users.

The post office What is an HSTS certificate? How does it block SSL removal attacks? appeared first on CheapSSLWeb.com Resources.

*** This is a syndicated blog from the Security Bloggers Network of CheapSSLWeb.com Resources Written by CheapSSLWeb.com Resources. Read the original post at: https://cheapsslweb.com/resources/what-is-hsts-certificate/

Comments are closed.