Page 87 - Cyber Warnings
P. 87
connection.
The server will send an HTTP response header to the browser that specifies a time-frame in
which the browser must connect only using a secure connection.
In our coffee shop scenario, the hacker intercepted the bank’s web page data and made it
appear to be secure to a casual human observer.
The browser didn’t care that there was no SSL connection in reality, because it had no reason to
expect that there should be one. HSTS allows a site to say upfront: “I should be encrypted,”
which allows the browser to reject unencrypted connections that appear to originate from that
site.
Of course, there is a weakness in this system too. If the attacker can intercept the very first
stages of the connection, he can modify the HTTP header that is supposed to tell the browser to
accept only SSL connections. Firefox and Google Chrome mitigate this risk somewhat by
including pre-loaded lists of HSTS sites, but that’s not scalable.
Nevertheless, HSTS improves security on the web and helps avoid SSL-stripping attacks like
the one described above.
Because it’s easy to implement in popular web servers, and is supported by most browsers, the
question arises: why do so few website use HSTS.
About the Author
Matthew Davis -- Matthew works as an inbound marketer and blogger for Future Hosting, a
leading provider of VPS hosting.
Follow Future Hosting on Twitter at @fhsales, Like them on Facebook and check out their
tech/hosting blog,https://www.futurehosting.com/blog/.
87 Cyber Warnings E-Magazine – August 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
