even then if we browse to a website say www.facebook.com, the response header from the Facebook servers would have HSTS mentioned
Ho fatto una richiesta di curl
a http://www.facebook.com
e questo è quello che ho ottenuto:
< HTTP/1.1 302 Found
< Location: https://www.facebook.com/
< Content-Type: text/html
< X-FB-Debug: zgK/A+8XSlghi/vWvAivsZ04gawpdr+3BuO7yuQaKDdrP/+B14oSVDSreHh0GbchyNPnav39pQq9Zgw5mSXX5A==
< Date: Sat, 29 Apr 2017 19:23:25 GMT
< Connection: keep-alive
< Content-Length: 0
Come puoi vedere non c'è un'intestazione HSTS qui, perché in base alla sua specifica (RFC6797) :
An HSTS Host MUST NOT include the STS header field in HTTP responses
conveyed over non-secure transport.
I browser Web ignorano anche le intestazioni HSTS nelle risposte http://
Note: The Strict-Transport-Security header is ignored by the browser when your site is accessed using HTTP; this is because an attacker may intercept HTTP connections and inject the header or remove it. When your site is accessed over HTTPS with no certificate errors, the browser knows your site is HTTPS capable and will honor the Strict-Transport-Security header.
Lo scopo di HSTS è di dire al client di NON passare a HTTP dopo che ha effettuato l'accesso a un sito web su HTTPS, e non viceversa. Da Wikipedia :
HTTP Strict Transport Security (HSTS) is a web security policy mechanism which helps to protect websites against protocol downgrade attacks and cookie hijacking.
Attacco di downgrade del protocollo :
A downgrade attack is a form of attack on a computer system or communications protocol that makes it abandon a high-quality mode of operation (e.g. an encrypted connection) in favor of an old, lower-quality mode of operation (e.g. clear text) that is there for backward compatibility with older systems.
Quindi un'intestazione HSTS non viene utilizzata per reindirizzare una nuova connessione HTTP a HTTPS, ma piuttosto per impedire a un browser di effettuare richieste HTTP a un sito HTTPS esistente.
Il plug-in HTTPS Everywhere d'altra parte garantisce che il browser Web effettui connessioni HTTPS a siti Web che supportano HTTPS, ma sono accessibile anche via HTTP.
Many sites on the web offer some limited support for encryption over HTTPS, but make it difficult to use. For instance, they may default to unencrypted HTTP, or fill encrypted pages with links that go back to the unencrypted site. The HTTPS Everywhere extension fixes these problems by using clever technology to rewrite requests to these sites to HTTPS.