Anne van Kesteren

TLS: deploy HSTS

HSTS (HTTP Strict Transport Security) is a policy delivered through an HTTP header, over an encrypted connection. It indicates that a domain is only to be accessed over TLS going forward. If after the policy is installed a domain is fetched using http://example.com/, the user agent is required to fetch https://example.com/ instead. This prevents sslstrip attacks.

The solution for initial incoming fetches using http:// is to permanently redirect those to https://. This initial fetch is still susceptible to the sslstrip attack, but all future fetches will not be. To prevent this attack even for initial fetches, Google is experimenting with an HSTS preload list (annevankesteren.nl is awaiting review). Hopefully longer term we can figure out a decentralized solution.

HSTS can also help with attacks on subdomains and if you really want to protect your online presence you need to enable this. It is somewhat bad protocol design this is an opt-in rather than an opt-out, but so be it. E.g. an active network attacker could trick a user into visiting secure.example.com and present a different site there through DNS spoofing and possibly even steal cookies. This is bad and therefore deploying HSTS without includeSubDomains needs very careful consideration and is almost always a bad idea.

Deploying TLS without HSTS is just irresponsible at this point, but fortunately it is rather easy to enable by adding a simple header. E.g. through .htaccess on Apache:

Header set Strict-Transport-Security "max-age=31415926; includeSubDomains" env=HTTPS

Redirecting from http:// to https:// can be done through .htaccess as well, though you might also be able to configure this at a higher level (see HTTP to HTTPS), depending on your hosting setup (e.g. DreamHost has distinct configuration for non-TLS and TLS hosting):

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]

Note: if you have third-party HTTP services on a subdomain, e.g. through a DNS CNAME record, such as a mailing list or content delivery network, be wary with includeSubDomains. Not having includeSubDomains leads to security issues, but sometimes including it can lead to your site breaking. Best to first ensure all third-party services are on board with using TLS.