Updated on May 2, 2018
While HTTPS is the go to way when we talk about securely connecting to the Internet, and many companies are working hard to make mainstream adoption as smooth as it can be, this does not mean that HTTPS is a perfect protocol. Currently, there are still ways for malicious interactions in the brief moments when you are being redirected from a HTTP link to a HTTPS source called man-in-the-middle (MITM) attacks. This is where HSTS comes in clutch.
Origins and adoption
HTTP Strict Transport Security (HSTS) is a is a web server security mechanism that tells browsers how to handle connections made to it via an instructional header. As an important addition to HTTPS and global security of data, HSTS has been in the woodworks since the second half of 2009 but the majority of progress has come in the last 2 years. Already implemented by big players like Google, Facebook, Twitter and PayPal HSTS is also enabled on all of our shared servers to compliment the rest of the security features we offer.
Why MITM shouldn’t be taken lightly
Man-in-the-middle (MITM) attacks are still an unknown matter to most regular users, even when the same have been targeted by such attacks during their everyday digital presence. Flying under the radar is part of the problem and we believe that knowing what you might expect from public Wi-Fi networks can significantly reduce unwanted data exposure online. The most common practice is to have hacker spoofing a Wi-Fi hotspot with him standing between a user and the router. Now imagine that this user wants to access your website. Even if the connection from the router to your website is secured via the HTTPS protocol, the hacker can strip the SSL, obtain and change unencrypted data from the user before encrypting and sending it to the router. This way the user has no idea his data is being accessed on the fly which can lead to all sorts of malicious scenarios. These sorts of attacks can be mitigated using HSTS to force the browser to only use HTTPS when connecting to your website from the get go.
HSTS and A+ Grade on SSL checks
The idea of SSL checkers is not only to see that you have SSL issued for your domain, but also how to optimize the security for that domain. SSL Checkers like SSLLabs take into consideration a plethora of options and vulnerabilities covered by different versions of TLS, Cipher strength, key strength etc. to provide an adequate representation of the strength of your SSL in a grade system from F to A+. Activating a Let’s Encrypt from your FastComet cPanel will get you to an A Grade. The only thing missing in order to get a perfect score of A+ is to have HSTS enabled as like we mentioned in the last paragraph, without it MITM are still a possibility. Once you have enabled it, the SSL covering your domain will be considered fully optimized and you will get the perfect score for it. And we all love perfect scores especially when we talk about security.
As there will always be a tug of war between Security and Malicious intents, it is to be expected in the future to build on upon HSTS and HTTPS and make them even better. However, for now this is the current peak of hardening you can achieve in this layer of security and it is worth the extra time to enable it for your websites.