I just enabled HTTP Strict Transport Security (HSTS) markers on a bunch of web servers that offer HTTPS.It's an easy step to take, and it means that users of HSTS-compliant browsers (such as Chromium and the upcoming Firefox 4) or browsers with HSTS-compliant extensions (like Firefox's NoScript or HTTPS-Everywhere) will no longer be vulnerable to attacks like sslstrip once they have made one successful connection to the HSTS-enabled HTTPS web site. It's not a perfect solution, but it is far better than the current situation. And it's easy to implement for websites that already use HTTPS.For sites using apache, just enable mod_headers (on debian, that's: a2enmod headers) and add the following line to your HTTPS vhost stanza: Header add Strict-Transport-Security: "max-age=15768000"Depending on your setup, you may want to add the semicolon-delimited argument includeSubdomains, like this:Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains" (note that the number of seconds above is roughly 6 months -- this is the duration that compliant clients will retain the protection).Read more: Debian Administration
Subscribe to:
Post Comments (Atom)
Posts
0 comments:
Post a Comment