HTTPS, HSTS, and PFS- A Must Security for any Website

However, you may hear about SSL protocol that secures online transition between the browser and the company server with its robust encryption. Due to evolving threat around the cyber world, many organizations are now mulling over to switch to HTTPS URL instead of a simple HTTP URL. Besides HTTPS, there are two main tools: HSTS (HTTP Strict Transport Security) and PFS (Perfect Forward Secrecy) that can mitigate spying activities. Here is how sites can do their best to protect spying tricks.

HTTPS (Hypertext Transfer Protocol Secure) Protection for any website:

If we talk about HTTPS then it is easy to embed your website with HTTPS URL. Find a suitable certificate authority (RapidSSL, Thawte, Comodo, Symantec, GeoTrust, Godaddy, GlobalSign etc) or SSL reseller (SSL2BUY, SSLMatrix, Trustico, SSL247, TheSSLShop, etc); select the right SSL product and your website will be protected with HTTPS. Whether you are running ecommerce, financial institution, or any huge website all you need a robust encryption for your customer’s security; attackers use sophisticated tricks to lure customers, swipe their login credentials within a minute. Extended Validation is one of the strongest and reliable options for SSL security, which not only establishes your business identity, but also secures customer’s identity over the web.

However, mere embedding SSL on your website is not enough against spying activity thereof you have to think for the above two other options: HSTS (HTTP Strict Transport Security) and PFS.

HSTS is too important for Website Security:

HSTS is a novel feature that secures users against phishing activity. Currently, phishers try to send fake email pretending as a legitimate organization or website. When people click on such link, they would redirect to another website where they are called for login credentials or financial information. HSTS tells the browser to use SSL at the time of accessing the website. The website then redirects an insecure URL connection (for example http ://) to the secure HTTPS connection by default.  If the website has self-signed certificate, then it will show an error message and do not allow the user to access the website.  

A website can state “Strict Transport Security” for their domain using an HTTP header sent by the server fixed during an HTTPS response:

Strict-Transport-Security: max-age=15768000

Or

Strict-Transport-Security: max-age=15768000 ; includeSubDomains

Where “max-age” shows the time considered for the forced HTTPS (seconds). You can add sub domains for this rule. There is an add-on HTTPS Everywhere but it is sensible to secure your website by default with HSTS feature.

PFS plays vital role for Website Protection:

The third one but the most important tool is PFS ( Perfect Forward Secrecy), which protect users against compromised private key and never let the attacker to decrypt the past communication. In simple term, if anyone leaks a private key of any website, he will never decrypt the traffic sent in the past since that website had started to implement PFS.

However, many website do not use PFS, which means their past communication with particular servers is vulnerable if their private key is compromised once. Such communication with servers is open to eavesdropping and malicious tampering.

In recent scenario, we heard about Heart bleed attack that has influenced several websites and made them vulnerable. In this case, if your website is equipped with PFS, then you will lose your privacy only for a short time and soon you can change your private key very fast.

Conclusion:

The above three tools will help you in securing web transaction, and mitigate spying activities of attackers. It is sensible to have HSTS and PFS along with HTTPS for better security. These tools are helpful in corporate and government surveillance and protect user’s privacy.