Some less obvious benefits of HSTS

HSTS, standing for HTTP Strict Transport Security, is a relatively new standard that aims to bolster the strength of HTTPS connections.

Hopefully it's about to catch on. Google Chrome has supported HSTS for a while now, and Firefox support is imminent.

The stated benefits of HSTS include:
  • Defenses against sslstrip-like attacks. The initial navigation to blah.com is automatically upgraded to HTTPS.

  • Zero tolerance for certification problems. The user is not permitted to "click through" anything such as a self-signed cert.

HSTS also comes with some less obvious benefits and security boosts, which it's worth noting:
  • Mixed-content defense. For same domain mixed-content situations, the fetches are automatically upgraded to HTTPS. This can sometimes sidestep nasty bugs.

  • Secure cookie defense. It's a pretty egregious bug for an HTTPS-only site to fail to mark its cookies "Secure", but HSTS can defend against the cookie value being sent out plaintext.

  • Cookie forcing defense. Cookie forcing is a pretty nasty MITM attack that I was playing with back in 2008. As long as HSTS is used in "includeSubDomains" mode, it can provide a defense against this subtle attack.

  • Latency win. User who navigate to or bookmark the plain HTTP blah.com are automatically bounced straight to HTTPS, without having to go via an HTTP redirect

In the future, I'm hopeful HSTS can be extended to provide defenses against possibly rogue CAs.