Page 86 - Cyber Warnings
P. 86
Why Don’t More Sites Use HSTS To Protect Their Users?
HSTS is a security mechanism that helps prevent a potential circumvention of SSL encryption,
ensuring that sensitive data isn’t exposed.
SSL has generated an unusual amount of attention recently, and mainly for reasons detrimental
to the trust that users need to have before sending private data like credit card numbers over
the Internet. Heartbleed aside,
SSL is a relatively securely protocol for encrypting sensitive data: it’s mathematically sound and,
aside from implementation errors, makes is practically impossible for malicious third parties to
intercept data moving between a browser and server.
SSL is great as far as it goes, but it isn’t yet integrated well enough into client applications like
browsers to be entirely relied upon.
Consider this scenario. You’re sitting in your favorite coffee shop, browsing pictures of pastries
on Pinterest, and you decide to take a look at your bank balance before investing in a chocolate
muffin.
You connect to your bank’s website and note that an SSL session has been initiated. You then
login, check your balance, and, satisfied with your financial health, head off to buy your muffin.
When you noticed that your browser had initiated a secure SSL encrypted connection, there
would ideally only be one possible explanation: your browser had initiated a secure SSL
connection.
But, unfortunately, there is another explanation: someone intercepted your WiFi connection and
interposed themselves between you and your bank.
They received everything your bank sent to you, changed it in any way they pleased, including
altering the code so that the favicon looked like a padlock, and they now know exactly how
desperate you were for a chocolate muffin.
But, I hear you thinking, if the connection wasn’t secure my browser would have told me — it’s
always popping up warnings about this or that site being insecure. Well, yes and no. If your
browser finds something wrong with a secure connection, it will tell you.
But it won’t tell you if a connection you believe to be secure isn’t, because it doesn’t know that it
was supposed to be secure in the first place.
That’s the problem HSTS is supposed to combat. The HTTP Strict Transport Security
mechanism allows a web server to declare that it will only interact using an SSL / TLS
86 Cyber Warnings E-Magazine – August 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
