HSTS Technology Helps Websites Enforce HTTPS Protocol Onto Browsers

October 9, 2017 | By Comodo SSL

Although websites may implement SSL certificate or SSL technology and thereby use the HTTPS protocol to securely communicate with users, it is usually left to the discretion of web browsers to decide whether they should be using HTTPS or HTTP connection. And more often than not the web browsers use HTTP first and then make the switch to HTTPS, even for websites which support this security protocol. Therefore this dangerous gap – before the switch is made – leaves the connection exposed to hackers.

The HSTS technology, which stands for HTTP Strict Transport Security, can help eliminate this dangerous gap. HSTS is not a replacement for HTTPS. On the other hand, it’s a technology which aids HTTPS-enabled websites to strictly impose the use of HTTPS connections onto the web clients (or browsers) that attempt to access them.

This relatively new technology that has been in the news for a while and now that Google has announced its decision to make the 45 TLDs under its control HSTS enabled, it’s worth making a note of what it is and what it does.

What is HTTP Strict Transport Security (HSTS)?

HTTP Strict Transport Security (HSTS) is a web security policy which protects websites against protocol downgrade attacks and cookie hijacking. Simply put, when implemented, it allows web servers (on which the website is hosted) to declare that web browsers “should interact with them only using the secure HTTPS connection” and not via insecure HTTP protocol.

How Browsers Recognize HSTS-Enabled Websites?

There’s something called HSTS preload list – which is nothing but a list of HSTS enabled websites – that is automatically stored in the browsers. Equipped with this HSTS preload list, the browser when accessing a website will check whether the website it’s trying to access figures on this list, and if it does, the browser will automatically start using the secure HTTPS connection.

Therefore the crucial element here is: even though your website maybe implementing HSTS, the relevant information should’ve been uploaded into the HSTS preload list, and the browser should contain this updated list, in order for it to recognize that it is dealing with an HSTS enabled website. This takes us to the next part – the only issue with HSTS technology.

The Only Issue With HSTS Technology

The only issue with HSTS technology is that since the ‘STS’ parameter is communicated in the form of a header, there is still a small opportunity for hackers during the “very first connection” between the browser and the web server. Of course, the chances of this happening are very slim. But nothing is impossible for hackers who are equipped with the right tools to strip down your SSL encryption and do whatever they wish to do.

Final Thoughts:

Now the all-important question is: should you be implementing HSTS or not? The answer is a resounding ‘yes’. Because, as well all know, even after equipping themselves with an SSL certificate, websites are being exploited successfully. And 301 redirects are only making matters worse. Therefore equip your already secure SSL encrypted websites with this HSTS technology and ensure all your web clients connect to you “only using the secure HTTPS connection”, literally leaving no gap for any form of hacking.

Compare SSL Certificates

Posted in SSL,Technology

Be Sociable, Share!

Leave a Comment


* fields are mandatory