~dbalan/blogng unlisted

a6ba9db82594129341fa6318d832a9b71f11c033 — Dhananjay Balan 1 year, 7 months ago bebf07c hsts
Some more editing.
1 files changed, 7 insertions(+), 5 deletions(-)

M blog/2019-04-08-notes-on-hsts.markdown
M blog/2019-04-08-notes-on-hsts.markdown => blog/2019-04-08-notes-on-hsts.markdown +7 -5
@@ 19,6 19,7 @@ strict-transport-security: Strict-Transport-Security: max-age=31557600;

To an HSTS aware client (i.e all mordern browsers) this means

> _I swear that I will serve content on secure transport for atleast next 31557600 seconds (1 year)_

client can now cache this information, and if you ever get the

@@ 40,7 41,7 @@ But max age is only one of the directive, there are more.
HSTS helps enforce HTTPS much better for a user, thus helping us avoid
non-secure transport attacks much better.

1. Passive network attackers 
### 1. Passive network attackers 

Threats from people sniffing your network passivly, like someone else
on a public coffee shop wifi you are currently using. The best attack

@@ 52,7 53,7 @@ session tokens in a clear transport. HSTS helps browsers to force the
transport to be secure and fail if someone is trying to downgrade the
connection to mount a firesheep style attach.

2. Active network attackers
### 2. Active network attackers

Threats from people inside the network, someone who has access to how
you get on the internet (someone who got access to your ISP or the

@@ 62,7 63,7 @@ client into beliving a secure transport does not exist for a particular
domain, thus forcing it to send sensitve data over cleartext. HSTS
will be able to detect this and prevent connecting to the site.

3.  Deployment and management errors
### 3.  Deployment and management errors

Deploying https is getting easier everyday, but still quite tricky to
get right if you are deploying a complex system. HSTS helps prevent

@@ 70,13 71,14 @@ management errors where one might have accidently exposed some
services (I'm looking at you legacy cruft!) on a subdomain, or
embedded in a https site (so called mixed content errors)

4. No click through errors.
### 4. No clicking through errors.
HSTS also helps mitigate user errors, in case of breakage hsts spec forces
client to not allow users to override their
behaviour by clicking through.

## A note of caution

HSTS is pretty unforgiving (for a good reason) in cases of TLS
screwups. Also, its really hard to get out of preload lists. Make sure
your https deployment is rock stable pushing out HSTS, start with a
your https deployment is rock stable pushing out HSTS. Start with a
small time delta, and keep increasing after careful testing.