2015-08-20

Understanding HTTP Strict Transport Security (HSTS)

I'm not going to explain it all myself since it was explained in an excellent way here. However below is the executive summary.

More and more sites are becoming HTTPS-only sites where the HTTP version simply redirects to the secure site. However that could be a problem if a user does not pay attention to how their browser is connecting. HSTS both allows your site to tell the browser to never ever again try the non-secure variant but you can also have modern browsers preload your site as secure meaning that no user ever would attempt an insecure connection. As long as users are using a modern updated browser that is...

In the linked article's comments one criticism of the solution is that it would not scale when every site on internet needs to be preloaded. Given that we are talking about text, compression will take us a long way. But as the number of sites supporting HSTS increase the memory needed for the preload list will increase which in theory could affect smaller devices.

But then again; even if we consider all existing domains we are talking about a few GB of text and given the predictability of the data some smart compression can certainly get the total data down below one GB is my guess, maybe even below 100MB. And that shouldn't be a problem. But that is also assuming that we stick with this solution many years from now. Once HSTS gets widely adopted I'm sure there will be other solutions that scale better. Storing this information in a DNS record once DNSSEC becomes more widely used seams like a a simple way of making this scale...

No comments:

Post a Comment