Sending information over a HTTP connection was always a risky proposition, at least ever since cookies were introduced, but the recent release of Firesheep has caused bit of an alarm. During a normal HTTP session, anyone (with skills) who can intercept the data packets of a victim in the network may end up stealing the user’s identity as well as .assets stored online. The threat was always there but the recent release of Firesheep has changed things completely. This Firefox extension has made hijacking the session of another user in the same network so easy that anyone using this tool could do it. The HTTP Strict Transport Security (HSTS) is an HTTP extension to make sure that transaction between the server and browsers are carried out using HTTPS rather than HTTP. It uses a HTTP response header field named “Strict-Transport-Security” which communicates to the browser to transact using secure connection for the period of time specied.
The HSTS specification by Jeff Hodges from PayPal, Collin Jackson and Adam Barth,is currently in IETF- Draft staus but Google Chrome (version 4 ) already supports it and it is a feature in Firefox 4. Websites such as Paypal, Defcon. EEF and many more are alreading implementing it. Wikipedia provides some server configuration snippets for different platforms. I am reproducing a couple of them to demonstrate how to it.
Implement HSTS
For implementing it in Apache, use the following snippet.
Header set Strict-Transport-Security "max-age=500" Header append Strict-Transport-Security includeSubDomains [source: wikipedia]
In PHP, it would be
$use_sts = true;
if ($use_sts && isset($_SERVER['HTTPS'])) {
header('Strict-Transport-Security: max-age=500');
} elseif ($use_sts && !isset($_SERVER['HTTPS'])) {
header('Status-Code: 301');
header('Location: https://'.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']);
}
[source: wikipedia]
On ASP, the following block of configuration script can enforce HSTS-
Dim use_sts use_sts = True If use_sts = True And Request.Url.Scheme = "https" Then Response.AddHeader "Strict-Transport-Security","max-age=500" ElseIf use_sts = True And Request.Url.Scheme = "http" Then Response.Status="301 Moved Permanently" Response.AddHeader "Location", "https://" + Request.Url.Host + Request.Url.PathAndQuery End If [source: wikipedia]
Note:These snippets should be used within the context of an SSL site configuration block
In the samples above the server would intruct user-agents to communicate with the server in a secure manner for a period of 500 seconds.
For more snippets , check out the Wikipedia entry.
However, if most sites do not deploy SSL , it is mainly because of performance issues. Now, how much performance is exactly affected is debatable but there are ways, web applications can be optimized to handle SSL better and faster. For instance, web developers can reduce the number of requests and optimize the applications to work faster with HTTPS. Check out Gmail Developers Hacks
Read More
https://www.eff.org/pages/how-deploy-https-correctly
https://secure.wikimedia.org/wikipedia/en/wiki/Strict_Transport_Security