Browse by Topic: Security & Reliability
HTTP Strict Transport Security (HSTS)
Last modified on 24 July 2016 04:46 PM

StartMail uses HTTP Strict Transport Security (often abbreviated as HSTS). HSTS is a security feature that lets a website tell browsers that it should only be communicated with using HTTPS instead of using HTTP.

HTTPS (contrary to HTTP) works over secure and encrypted Secure Socket Layer (SSL) / Transport Layer Security (TLS) connections and thus better protects the privacy of our users.

How it helps: If a website accepts a connection through HTTP and redirects to HTTPS (if, for example, the user types http://www.foo.com/ or even just foo.com), the user in this case may initially talk to the non-encrypted version of the site before being redirected.

This opens up the potential for a man-in-the-middle attack, where the redirect could be exploited to direct a user to a malicious site instead of the secure version of the original page.

The HTTP Strict Transport Security feature lets a web site inform the browser that it should never load the site using HTTP and should automatically convert all attempts to access the site using HTTP to HTTPS requests instead.

An example scenario:

You log in to a free WiFi access point at an airport and start surfing the Web, visiting your online banking service to check your balance and pay a couple of bills. Unfortunately, the access point you're using is actually a hacker's laptop, and they're intercepting your original HTTP request and redirecting you to a clone of your bank's site instead of the real thing. Now your private data is exposed to the hacker.

Strict Transport Security resolves this problem: as long as you've accessed your bank's website once using HTTPS, and the bank's web site uses Strict Transport Security, your browser will know to automatically use only HTTPS, which prevents hackers from performing this sort of man-in-the-middle attack.

(3 vote(s))
This article was helpful
This article was not helpful

Still haven't found the answer to your question? Click here to contact support.