Today I got a wonderful email from Adam G. who works on the Chrome team. About a week or so ago I asked if he would add Write.app to Chrome’s internal HSTS list. The HSTS list is a list of websites that Chrome will always connect to via https no matter what you type into the address bar that’s built into the browser itself. So now no matter how you type Write.app’s URL (whether it’s ‘www.writeapp.me’ or ‘writeapp.me’ or http://writeapp.me or whatever) Chrome will automatically rewrite it as ‘https://writeapp.me’ before a request is every sent to connect. What’s so special about this? I’ll tell you after the jump.
The great thing about being on the HSTS list is added security. But before I get into that, let me back up for a second and explain what HSTS is. HSTS stands for HTTP Strict Transport Security. It’s normally something you set up on your server that tells all browsers “from this moment on, you should always connect using SSL (https)”. The cool thing about that is that it avoids the need for a client (the browser) to be redirected from http to https. Since the vast majority of people never type in “https://” let alone “http://” or even “www.” before the URL most sites like Write.app end up having to intercept http traffic and redirect it to the SSL secured HTTPS port. That’s normally no big deal. It’s trivial to do and the client never notices however, the client never notices! And there’s the rub – since typical users don’t look up at their URL bar they don’t notice if the URL is changing. A decent amount of users (but still not enough) know to look for the little green lock icon when they check their bank accounts but they don’t always think to check for a secure connection on other sites… like Write.app! So what’s the worst that could happen? Well, without HSTS enabled you’re susceptible to an HTTPS stripping attack where an attacker intercepts traffic over an HTTP connection and acts as a middle man between you and the secure site, collecting all of the data sent back and forth between you.
Sites that have HSTS enabled, like Write.app (did I mention that yet?) are less susceptible to this kind of attack but they’re not completely covered. This is because in order for the server to tell the client browser that the site is enforcing an HSTS policy they first need to be connected over SSL and even then there’s a time limit on that policy (usually 6 months or more). So, if you had never visited Write.app before and the first time you did was over an insecure public network like at a Starbucks or something then that’s a prime time for an attacker to spring an HTTPS stripping attack. You probably won’t add the “https://” in front of the URL and since you need to be on a secure connection before the server tells your browser to never connect insecurely again, you’re vulnerable. There’s really nothing that any site can do about this except hope that the first time a user visits their site it’s from an uncompromised connection. You can usually count on this but not always.
Enter Chrome’s HSTS List
The ability to launch an HTTPS stripping attack on sites that have been added to Chrome’s HSTS list are almost nil! That’s because with Chrome’s built-in list, the moment you type in the URL, no matter the variant and whether you add “https://” or not, Chrome automatically sees that you’ve implemented HSTS on its internal list and rewrites whatever you’ve typed (or clicked on) to be a secure connection from the start. Chrome (and Chromium) bypass being sent to the insecure HTTP version of your site and being redirected before finding out about HSTS. That’s exactly the part of the process where you’re vulnerable. And that’s why I’m so excited for Write.app to have been added to the list. We’re now more secure and as it stands now the list of sites in Chrome’s internal HSTS list is incredibly small! So I’m very proud to be a very early adopter and proud that I’ve taken the security of my users seriously.
I did a more in-depth write up about how HSTS and HTTP and all that work on the official Write.app blog today if you want to learn more about how HSTS works step-by-step. You can learn more about Chrome’s STS implementation here and you can see where Write.app has been added to Chromium’s list in the source here (it’s all the way at the bottom of the page, the last line before the “Entries are only valid…” comment as of this writing).