What is HSTS Certificate and How to Enable It?
In this article, you will learn what an HSTS certificate is, how to implement HSTS, and a step-by-step guide on how HSTS stops SSL stripping attacks.
Gone are the days when only an https:// connection was enough to secure your website and provide confidence in your security to your customers. Today, hackers have found vulnerabilities in SSL connections, such as the infamous 301 redirect that lets them destroy the safety of an SSL connection.
This may make you feel unsafe the next time you try banking online, but fortunately, we have invented a solution. HSTS connections are even more secure than basic HTTP connections for several reasons. Before diving deeper into this topic, we’ll review the basics of how standard HTTPS kept you secure.
What is HSTS Certificate Encryption?
When you want to keep your information private on the internet, using a secret code can boost your chances of preventing third parties from reading it. This can be done using encryption, which completely scrambles your message to prevent both humans and machines from being able to make sense of it.
When your message reaches the destination, the receiver can use a key to unscramble it in a process known as decryption. Currently, encryption is done in two ways – symmetric vs asymmetric encryption.
Symmetric Encryption | Asymmetric Encryption |
Symmetric Encryption uses a single key for encryption and decryption. This key is shared over an unsecured network. | Asymmetric Encryption uses separate key pairs of encrypting keys(public keys) and decrypting keys(private keys) for both parties. The private keys are never shared. |
It is faster but less secure. | It Is extremely secure but quite slow. |
As you can see, symmetric encryption has one obvious vulnerability, which lets an attacker intercept the key before the connection is encrypted. While not so obvious, asymmetric encryption can also be quite vulnerable to interception. While the attacker may not be able to access the private key, they can get access to the public key in this case.
Using the public key, the attacker could encrypt malicious code and send it to the client, making it seem like it came from the server. This could include anything from spyware to ransomware. Fortunately, there is a way to determine each communication’s authenticity over a secured network.
HSTS Vs. SSL Certificate
The SSL protocol allows each client and server connection to verify the connection’s security before communication begins. This is carried out in a process known as the SSL handshake. The handshake also uses certificates that show the authenticity of each communication coming from the server.
These certificates are encrypted using a secret key and can only be decrypted using the pair key, which is shared during the handshake. If the client fails to decrypt the certificate, it proves the message is not genuine and has come from an attacker.
While the workings of certificates and encryption algorithms are certainly more complex than this, for now, you can keep in mind that they both work together to secure a connection.
If a website uses SSL Certificate or its advanced version known as TLS (Transport Layer Security), it will have the https:// in front of its URL after the established handshake.
The Vulnerability
The vulnerability this system presents isn’t very complicated. Simply put, websites need time to establish an SSL handshake, and during that brief period, they connect to their clients using an http:// connection. This leaves the connection vulnerable to attacks.
Exploits of this vulnerability include sending phishing login pages to the client by redirection or even stripping an SSL connection while leaving the connection unsecured and unencrypted.
How to Fix the HSTS Error in Chrome?
HSTS stands for HTTP Strict Transport Security, and it isn’t a new technology. It was invented back in 2012, but it has taken a long time to implement fully. This policy prevents websites from accepting any HTTP connections at all, thereby directly connecting with their clients using HTTPS.
In general, browsers try to connect to websites using HTTP; however, this gets changed thanks to HSTS, which sends instructions to browsers to adhere to HTTPS connections only strictly. While this still leaves you vulnerable the first time you connect to the website, it can be delivered via HTTPS to ensure maximum security.
Read Also: How to Clear SSL State in Chrome?How to Implement HSTS or Http Strict Transport Security in a Website?
Implementing HSTS requires an SSL certificate. In the case of several subdomains on your website, you would need a Wildcard Certificate, but in other cases, just about any cheap SSL certificate would work.
Once you have the certificate, you can implement HSTS with the following code:
1. For Apache Web Server
# Use HTTP Strict Transport Security to force client to use secure connections only Header always set Strict-Transport-Security “max-age=300; includeSubDomains; preload”
2. For lighttpd
server.modules += ( "mod_setenv" ) $HTTP["scheme"] == "https" { setenv.add-response-header = ("Strict-Transport-Security" => "max-age=300; includeSubDomains; preload") }
3. For NGINX
add_header Strict-Transport-Security 'max-age=300; includeSubDomains; preload; always;'
4. For IIS Servers
protected void Application_BeginRequest(Object sender, EventArgs e) { switch (Request.Url.Scheme) { case "https": Response.AddHeader("Strict-Transport-Security", "max-age=31536000; includeSubDomains; preload"); break; case "http": var path = "https://" + Request.Url.Host + Request.Url.PathAndQuery; Response.Status = "301 Moved Permanently"; Response.AddHeader("Location", path); break; } }
Final Thoughts
While it has been in use for over a decade, HSTS has become necessary for making the World Wide Web a more secure place. Implement it on your website today for maximum security for your users.