HSTS Preloading

Georgie Yoxall Sep 30, 2017
1 favorite favorites
bookmark bookmark
share share

HSTS Preloading

In this blog post I will discuss HSTS Preloading and the steps we can make to move towards a safer web. Not too long ago, I preloaded my site (yoxall.me.uk) onto the strict HSTS list.

What does this mean?

The first time a browser attempts to initiate a connection with a website, it will default to standard HTTP; regardless of whether a HSTS header is set.

This is because it has never visited it before and so simply does not know of the Http Strict Transport Security response (known as the TOFU security model). This means that the first request to a secure site is vulnerable to a MITM and therefore could still be intercepted.

Since my site is enrolled on the strict list, it knows that the first time a user tries to connect to my website (and every other time, for that matter) - it should default and only ever use HTTPS.

Publication

Pros/Cons In this section I will discuss the pros and cons of being preloaded, with that also highlighting the reasons I chose to enroll.

Pros

  1. HTTPS enforced both server and client-side.

This is good because in the case that the server protocol is ever compromised, the client-side browser will refuse to initiate the connection and thus prevent further leakage.

  1. Google are starting to use this as a SEO ranking metric.

Enforce HTTPS, get an higher ranking. Enforce it at the client side, get an even higher ranking.

Cons

  1. You must be able to support HTTPS for the long term.

You must be committed to the idea of a web with no HTTP. If for what ever reason you cease support for HTTPS in the future, your users will not be able to connect to your site - even if you remove the server-side HSTS header. This is because the strict list is hard-coded into the end user's browser.

Further more, it is a difficult process to be removed from the list.

Conclusion

I believe that if we want to move to a more secure web, we must enforce greater security. And even consider edge cases, such as the user's first visit.

Thus, I would much rather a user not be able to connect to my site at all than the contents be transmitted in plain text. It is for this reason, this site is strictly enforced as being strict-https on most modern major browsers (Chrome, Firefox, Opera, Safari, +).

Note: This is NOT a replacement for the server-side enforcement of HSTS. You need both. Why? Your users may use less common web browsers, those that won't have a hard-coded HSTS list.

You should also recommend your users use a modern browser for this strategy to be effective. Or where not possible, make use of a browser add on such as HTTPS Everywhere.

Thanks for reading!

Okay, where do I start? You can visit this site to learn more about preloading and also request that your site be preloaded.