What Exactly Is HSTS?
You have probably most likely heard of HTTP and HTTPS but perhaps not HSTS.
If you see HTTP then the site data is unprotected when it is transmitted and is susceptible to a man in the middle attack as the servers are not directly connected so the router can read and manipulate unencrypted data and compromise it. HTTPS means that when the site data is transferred then the data is encrypted and decrypted by the relevant parties and during the data transmission the data is unreadable to anyone trying to view it.
HSTS forces a website to make all of its responses using the HTTPS connection instead of the unencrypted HTTP connection. This makes it impossible for an attacker to read or modify the data while it is being transmitted over the web.
How Does HSTS Work?
Enabling HSTS forces the connection to be HTTPS if it is available. By forcing the HTTPS connection this instructs the browser to only connect to the server and the domain through HTTPS.
Example of HSTS
If you imagine yourself logging onto your online banking through a public wifi connection and instead of the wifi being the genuine intended access point it instead that of that it is one that a hacker has set up with a plausible-sounding name. The hacker can take the users request for the bank website and redirect it to a cloned version of the site which operates through HTTP. This HTTP connection will allow the hacker to read all of the personal and sensitive information that you input and allow them to collect it.
If you have previously accessed the bank site before then the HSTS will automatically force a HTTP connection and be able to prevent the man in the middle attack.
Benefits of Using HSTS
- HSTS will protect you against HTTP downgrade attacks (SSL stripping attacks) and this will force all connections through HTTPS.
- If a domain has mixed content then the HSTS will upgrade the connection to HTTPS rather than the vulnerable HTTP.
- If a server cannot validate the certificate of a website then the connection is aborted.
Conclusion on HSTS
HSTS is a simple and highly effective way to secure yourself from a man in the middle attacks and to protect all of your data and personal information while it is being transmitted.
By forcing the HTTPS upgrade the attacker is unable to read the data even if the network is compromised as the browser is forced to use a HTTPS connection.
HSTS makes sure that all the communication data is encrypted, sent and received by the correct parties and not leaked to anyone else.
Simple Ways to Upgrade to HTTPS
You can find some options in common browsers such as “HTTPS Everywhere” this will force your browser to view every page through a HTTPS connection and is very useful when browsing the web. This browser extension was created by the Electronic Frontier Foundation as available for Mozilla Firefox, Google Chrome and Opera browsers.
If you run WordPress on your website you can use plugins such as “Really Simply SSL” to help secure your site if you already have an existing certificate and want to run the site through HTTPS.