Wednesday, 22 October 2014

This is a web security policy cracy where by a web server declares that the complying of users’ agents is to interact with it using only secure HTTPS connections.
HSTS Policy is communicated through the server to the user’s agent through a HTTP response headers fields named "Strict-Transport-Security". HSTS Policy specifies the period of time during which the user’s agent shall approach the server in a secure only manner.
HSTS mechanisms:
Servers implement an HSTS policy through supplying the header over HTTPS connections.
1.       An automatically turn any in-secure links referencing the web application into secure links.
2.       If the security of the connections can’t be ensured, show an error message or do not allow the user’s to access the web application.

Limitations:

The first request remains un-protected from active attacks, if it uses an in-secure protocol such as plain HTTP and if the URL for the starting request was obtained over an in-secure channel. The same as applies to the initial request after the process period specified in advertised the HSTS Policy max-age. Google Chrome or Mozilla Firefox addresses this limitation through implementing a "STS pre-loaded list", which is a list of that contains known sites supporting to the HSTS.  A probable solution might be achieved through using Data Name Source (DNS) record to declare the HSTS Policy, & accessing them securely by DNSSEC, optionally with certificate of finger prints to ensure legality.

What is DNSSEC?

The full form of the “Domain Name System Security Extensions “and it is a page, and it is about the various possible meanings of abbreviation, acronym, short hand and slang term: “DNSSEC”.

To test by manually, access the web site through typing of any web site URL
http://abc.com” in URL bar of the browser. If you are capable to access the web site over http then “HSTS” is not enabled. When this feature is enabled in browser always communicate with server over HTTPS.

This can be tested using CURL.

1.       Download from internet and  installs the CURL in you PC.
2.       Open the “Run command” prompt window as administrator.
3.       Executes the command.

“Strict-Transport-Security: max-age=xxxxxx” header will be present if HSTS is enabled.

0 comments:

Post a Comment

Bookmark Us

Delicious Digg Facebook Favorites More Stumbleupon Twitter