Epiphany generates over £500k client revenue from CRO testing alone
Q1 2016 IPA Bellwether sees modest growth in marketing spend
How HSTS can make HTTPS even more secure.
15 Apr 2016 ·
Every day huge volumes of personal data, from banking details to emails about a new project, flow through the internet. Given this, encryption is not something that should be ignored.
So why is encryption so important? Delivering a web page over an unencrypted HTTP connection is the same as sending a postcard; everyone who handles it between you and the person who it is destined for can see the content (and if they can match your hand writing; add a message).
As they say, the last person to read a postcard is the person it’s actually addressed to.
Sending unencrypted traffic would be fine if you had a cable from your computer directly to the server, however the internet is set up in a way that requires a lot of middlemen, so your request goes from server to server to server to get to its destination.
You can see these ‘hops’ with a traceroute. The below shows the hops it takes to get from my computer to epiphanysolutions.co.uk:
2 33-101-168-194.static.virginm.net [126.96.36.199]
3 leed-lam-3-tenge84-519.network.virginmedia.net [188.8.131.52]
4 leed-core-2a-xe-011-0.network.virginmedia.net [184.108.40.206]
[Removed for brevity]
13 corea-core5.lon3.rackspace.net [220.127.116.11]
15 274922-APP1 [18.104.22.168]
As you can see it goes through 14 hops before it gets to its destination, which isn’t bad, but if this request was sent over unencrypted HTTP then every single server in that chain could see exactly what was being sent – and they could also manipulate it.
Using HTTPS over HTTP solves this problem by encrypting the data in transit, however there are attacks such as downgrade attacks, also known as SSL stripping attacks, which are a major threat to the benefits that HTTPS brings.
HSTS solves the problem of downgrade attacks by informing the browser that a website should only be accessed via HTTPS, never HTTP. Enabling HSTS is simple, by returning the Strict-Transport-Security HTTP header when your site is accessed over HTTPS.
When the browser sees this header in a response it makes a note that this website should only ever be loaded over HTTPS for a year. This feature is supported on all modern browsers.
So, adding HSTS to your website once you’ve setup HTTPS means that you can be secure in the knowledge that your data and your user’s data is never sent in the clear, and is safe from man-in-the-middle attacks.
If you’d like to know more about HSTS and discuss how to keep your user’s data secure on your site, please get in touch.