HSTS stands for HTTP Strict Transport Security. HSTS helps in preventing SSL stripping attacks and session hijacking attacks. SSL Stripping attacks are a special type of man in the middle attack (MITM).
Let's see how a typical request session happens on the Internet.
When a user opens a browser
types a url then browsers, by default, put
http in front of it.
Then browsers send HTTP request to the server.
The server answers via HTTP saying that please send request over HTTPS.
The browsers now send HTTPS request.
Every single time when a browser sends a HTTP request and the server sends a 301 redirect response demanding request to be sent over HTTPS there is an opportunity for the SSL strip attack. We will see how this attack works soon.
It would be nice if server could tell browser that not only for this session but for any future sessions also please send all requests over HTTPS.
That's what HSTS does.
HSTS tells browsers that for all future requests please use HTTPS for say next 6 months.
So now even if user types
http://www.ecommerce.com then the browser itself will switch
HTTP into HTTPS without contacting server for a period of 6 months.
Let's say that Harry, the hacker, visits Starbucks coffee shop. Here he created a hotspot named "Starrbucks coffee". Notice that he has put two "r"s in the name of "Starrbucks coffee".
Joe walks into the coffee shop, and he sees that there are two hotspots named "Starbucks coffee". He did not pay attention to the misspelling. Joe connects to the hotspot setup by Harry.
Now Joe opens his notes site
Mynotes already has HSTS enabled and Joe visits
regularly, so the browser knows to send the request over HTTPS.
In his notes he has a link to
He clicks on the link to buy a gift for the upcoming birthday party.
Since there is no protocol mentioned in the link
by default browser sends the request using HTTP.
Request is sent to
Since Joe is connected to the hotspot run by Harry, request first goes to Harry.
Harry has setup a proxy.
Harry stops the request in the middle and
he initiates a brand new request to
Toystore site sends a 301 response to the client asking the client to send the
request over HTTPS.
If Harry sends this response as it is Joe then Joe's browser will
make a direct tunnel between Joe's browser and
That's how https works.
It sets a secure tunnel between the client and the server.
If there is a direct HTTPS connection between Jeo's browser and
toystore.com then Harry would not be able to steal Joe's credit
So this is what Harry does.
Harry does not forward that response to send request over HTTPS
Instead Harry sends the request over HTTPS to
toystore.com responds with the login page.
Harry takes the response of this page and sends it to Joe over HTTP.
So here Harry is taking HTTPS response and stripping the SSL and
sending the same response over HTTP. This is why it is called
SSL strip attack.
Now Joe fills out the form and submits it over HTTP.
Harry does not let this submission go through.
He is in the middle between Jeo and the toystore.
Harry looks at the data.
Puts this data in the form
and submits the form using HTTPS to the
The main takeaway is that Joe never sends any data over HTTPS and in this way Harry is able to see all the data because all the data is being sent over HTTP and not HTTPS. In this way Harry is able to steal Joe's credit card information.
How this could have been mitigated.
This was not the first time Joe was visiting
toystore.com would have been using HSTS then
all requests to
toystore.com would have been sent over HTTPS
even if Joe is clicking on a link that says
However, this mechanism does not solve the problem of first visit.
What if Joe has never been to
www.tshirts.com and his friends on the chat
tell him about it.
Even if the engineering folks at
tshirts.com have implemented HSTS,
the very first request to
tshirts.com by Joe at that coffee shop
can be intercepted by Harry.
To solve this first visit problem https://hstspreload.org was born.
Major browsers like Chrome, Firefox, Opera, Safari, IE came together and support https://hstspreload.org/. Any request made to any site listed in hstspreload is always sent over HTTPS including the very first request.
For example "mail.google.com" is in the hstspreload list. It means even if we get a brand new laptop and in the url if we type http://mail.google.com then even for the first visit the request will be sent over HTTPS and not HTTP.
This is also a good reminder that unless absolutely needed please do not connect to the random wifi hotspots. Only connect to known wifi hotspots.