hsts

General December 4, 2017

Results of the experiment “HTTPS and HSTS for ITSecurityNews.info”

I wrote 4 months ago (Aug 14) about the switch to HTTPS per default on the new site ITSecurityNews.info. A week ago I wrote about the experiment of enhancing the headers of the website to show full compatibility with HSTS. Experiment started: HTTPS for ITSecurityNews.info Moving to HSTS   Now it is too early to say what impact the HSTS has over the traffic, but we can have a look on the traffic for HTTPS. Here is the shape:   The red vertical line is the point when I switched to HTTPS. There is a 10% increase in September, but then the traffic goes to the normal patterns. Does this mean that the switch to HTTPS failed?  Or is November the result of switching HSTS on? Let’s have a deeper look:   As can be seen in the screenshot above, the trend is to lose visits than to gain. So, I can say that SSL + HSTS is making me lose visitors. But, then we need to look deeper, because a “visitor” is a page visit, which it is not the same as “eyeballs”. In that week of October I’ve had 2.5 views per visitor, while in November I’ve never…

General November 28, 2017

Moving to HSTS

HTTP Strict Transport Security (HSTS)  is a policy mechanism that allows a web server to enforce the use of TLS in a compliant User Agent (UA), such as a web browser. HSTS allows for a more effective implementation of TLS by ensuring all communication takes place over a secure transport layer on the client side. Most notably HSTS mitigates variants of man in the middle (MiTM) attacks where TLS can be stripped out of communications with a server, leaving a user vulnerable to further risk. HSTS has been a highly anticipated and a much needed solution to the problems of HTTP being the default protocol for a UA and the lack of an ability for a host to reliably enforce secure communications. For any site that issues permanent redirects to HTTPS the addition of the HSTS response header is a much safer way of enforcing secure communications for compliant UAs. By preventing the UA from sending even the very first request via HTTP, HSTS removes the only opportunity a MiTM has to gain a foothold in a secure transport layer.   How to enable HSTS? If you have access only to .htaccess then this is the only option (assuming you run Apache, just like Strato…

%d bloggers like this: