Before getting into the weeds of HSTS, let’s talk a little about a protocol called HTTPS. Today, everyone and their mother knows that, unless you see that padlock icon next to your browser’s location bar, your communication is not secure and should not be trusted. But very few people understand the meaning of the word “secure” here, or how these security features work.
What is HTTPS, and Why Is It Important?
Think about a very simple scenario. You need to check your web based email account, and this service provider doesn’t support HTTPS, only HTTP. You need to log in to get your mail. As you’re presented with a sign-in form, you type in your username as johnsmith1 as well as your top secret password, which is fluffy2009. Upon submitting your info, the same exact characters go out of your computer and hit the internet as:
j-o-h-n-s-m-i-t-h-1[space]f-l-u-f-f-y-2-0-0-9
You know that the internet is full of bad people, right? And you know that they are waiting for opportunities like this to steal people’s passwords, right? With the simplest of software, they can grab your credentials and pretend to be you to snoop into your email messages when you are not around. You can say, “so what? I have nothing to hide in my email.” Consider that in this hypothetical scenario, your bank account is tied to the same email address. Does it scare you now? It should. The crooks can request a password change and get it in your email. Two seconds later, you can kiss your money in the bank goodbye.
Using HTTPS changes the clear text string above into something like this, referred to as encryption:
Ac89c278dbc4b8c5b0c3fd4b8580b92edd00bc5806a96d6662adfbee248b9afe9f7c9
It’s all thanks to that letter “s” at the end of “http.” Good luck getting a username or password out of this string now, Mr. Crook.
What Is HSTS Then, and Why Is It Important?
HSTS is an acronym that stands for HTTP Strict Transport Security. Technically speaking, it is a response header sent by the website to the browser, telling the browser that this site can only be contacted via HTTPS protocol, not by plain text HTTP.
Let’s dig a little deeper into the subject matter with an example. Imagine you want to go visit google.com to run a search. You go to the address bar of your browser and usually type google.com, hit enter and voila, you are there. You do not think about http:// or https:// protocol specification when you are typing the URL you want to go to.
So far, so good, right? websites who prefer https protocol communication generally use a 301 redirect command that changes the URL’s protocol to https and sends your browser back an encrypted response along with the SSL certificate information. This allows your browser to understand how to communicate with this website. Basically, the http communication is transferred to https communication automatically, without the end user doing anything.
Well then, no-harm, no-foul, right? Not necessarily. In the time it takes for the website to switch to https by redirecting via 301 status, there are few milliseconds of time delay. Then there’s the time required for the site to send the SSL certificate header back to the browser. If the website is a valuable target, those few milliseconds are almost a lifetime for a malicious actor with an extremely powerful computer system to intercept the communication and insert itself between the user and the server. This is the basic definition of “man in the middle” attack vector.
On the other hand, if the browser knows that the site is accepting https communications only, by the way of an HSTS table, it starts the communication directly with https:// protocol lead, avoiding the the http to https transfer event time gap. This leaves the malicious listeners of the network traffic with nothing to listen to.
It is an added level of security in layman’s terms.
How Does Using HSTS Headers benefit Your Website?
First and foremost, HSTS makes your website virtually impenetrable by the man-in-the-middle attack method. This should give your site’s visitors an extra level of reassurance, especially if your site is an e-commerce site where monetary transactions take place.
Other than the security aspect, by skipping that few milliseconds of delay at the beginning, you shave off quite considerable time of page load traffic. In a day like today, where a website’s presence in search engines is greatly influenced by page load times, this increase in page load speed is as valuable as gold. Did you know that an average website load time today is 15.3 seconds? Did you also know that an average internet user hits the back button or leaves the site if they can not see the page in 3 seconds or less?
Do you really want to lose customers because your site exposes their information to hackers and loads slowly? Probably not.
Between better page load times and improved security, what is there not to like about implementing HSTS? Of course your site can benefit from HSTS headers.
