Using HTTP Strict Transport Security (HSTS)

HTTP Strict Transport Security, also called HSTS or simply STS, is a (relatively) new opt-in security extension for HTTP defined in RFC-6797. The main goals of this extension is to prevent information leaks.

HSTS is specified by a web application through the use of a special response header that will prevent any communication from being sent via HTTP to the specified domain. Instead HSTS forces the client to use HTTPS for all request.

HSTS will address the following threats:
– Manually typed or bookmarked HTTP URLs exposed to man-in-the-middle attacks
– Mixed content pages that inadvertently expose sensitive information via cookies
– Man-in-the-middle interception of traffic using invalid certificates in the hope that user will accept bad certificates.
– HTTP downgrade attacks, where an attacker tricks a user into submitting an unencrypted request to a server

An HSTS Policy may contain an optional directive, includeSubDomains, specifying that this HSTS Policy also applies to any hosts whose domain names are subdomains of the Known HSTS Host’s domain name.

By using this you will block all calls to the subdomain that points to carma i.e. click.<yourdomain.com> and this will issue a warning to the recipient when clicking on a link with the subdomain since we can’t serve the request with your certificate. We therefore recommend that you implement HSTS only on domains that actually support HTTPS and don’t use the includeSubDomains directive.

If you want to implement HSTS with includeSubDomains an alternative solution is to point the current carma web-domain to your own web server where you will have to handle the request and redirect it back to Carma. It is important to consider that this adds one more redirect and therefore some additional time for your recipients link clicks.

HSTS is not a solution or remedy for all difficulties involving HTTPS and web security. Great care must be taken when adopting this technology. Site and application architecture should be carefully planned and evaluated before rolling out any security mechanism, and the incorrect use of HSTS and it’s configuration options could be potentially disastrous.

If you have implemented HSTS with strict subdomain policy this will add restriction to users that visit your web. The policy will be stored in the recipients web browser that your domain must always be accessed with https, and this cannot be removed by purging cookies or browser history. Any change that you make will be subject to the time to live that you have applied in the policy. That mean that if you revert a change it could take some time before the change will have affect on visitors that have the policy in their browser.

More information
RFC-6797
Wikipedia article regarding HTTP Strict Transport Security