I just enabled HTTP Strict Transport Security (HSTS) markers on a bunch of web servers that offer HTTPS.
It's an easy step to take, and it means that users of HSTS-compliant browsers (such as Chromium and the upcoming Firefox 4) or browsers with HSTS-compliant extensions (like Firefox's NoScript or HTTPS-Everywhere) will no longer be vulnerable to attacks like sslstrip once they have made one successful connection to the HSTS-enabled HTTPS web site.
It's not a perfect solution, but it is far better than the current situation. And it's easy to implement for websites that already use HTTPS.
For sites using apache, just enable mod_headers (on debian, that's: a2enmod headers) and add the following line to your HTTPS vhost stanza:
Header add Strict-Transport-Security: "max-age=15768000"
Depending on your setup, you may want to add the semicolon-delimited argument includeSubdomains, like this:
Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains"
(note that the number of seconds above is roughly 6 months -- this is the duration that compliant clients will retain the protection).
Read more: Debian Administration
It's an easy step to take, and it means that users of HSTS-compliant browsers (such as Chromium and the upcoming Firefox 4) or browsers with HSTS-compliant extensions (like Firefox's NoScript or HTTPS-Everywhere) will no longer be vulnerable to attacks like sslstrip once they have made one successful connection to the HSTS-enabled HTTPS web site.
It's not a perfect solution, but it is far better than the current situation. And it's easy to implement for websites that already use HTTPS.
For sites using apache, just enable mod_headers (on debian, that's: a2enmod headers) and add the following line to your HTTPS vhost stanza:
Header add Strict-Transport-Security: "max-age=15768000"
Depending on your setup, you may want to add the semicolon-delimited argument includeSubdomains, like this:
Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains"
(note that the number of seconds above is roughly 6 months -- this is the duration that compliant clients will retain the protection).
Read more: Debian Administration