HTTP Strict Transport Security (HSTS) provides decent defense against man-in-the-middle attacks. All the server has to do is send a certain header, and the browser will only establish a connection with it via TLS. There will then be no connection anywhere that is unencrypted and allows an attacker controlling network traffic to unknowingly redirect users to a fraudulent site. Today’s update (3058515) adds HSTS support to Internet Explorer 11 for Windows 7 and Windows 8.1.
Man-in-the-middle attack
It is very easy for an attacker to obtain a username and password if the connection is not encrypted with a sufficiently strong cipher. The user must send his password to the server in such a form that only the server can read it, and he must be sure that he is sending it to the server to which he thinks he is sending it. Transport Layer Security (TLS) simplifies this to the fact that you just need to make sure that the root certificates of only those certification authorities that you trust are installed on the computer.
At present, the biggest weakness is probably the fact that, for backward compatibility reasons, an unencrypted connection is established first, which is then redirected to an encrypted connection. If an attacker manages to control network traffic (it is enough for the user to connect via Wi-Fi, which the attacker has controlled), he can modify this redirection to redirect the user to his server. After that, all they have to do is imitate the website they pretend to be and get an SSL certificate for it. If the attacker manages to do this well enough that the user does not recognize anything at first glance and enters his login details into such a page, he has given the attacker control over his account. In addition, the user may not recognize anything because the attacker programs his page to act as a proxy.
Defense
The vulnerability can be easily solved by encrypting all traffic from the start. However, this is not possible because most web servers do not support TLS. The solution is to keep track of which sites support TLS and establish a direct TLS connection only with them.
Browser knowledge of pages that support TLS stems from two sources. The first source is a simple list of servers that support TLS. It is compiled into the source code of the main browsers. It’s not exactly an academic approach, but its functionality cannot be denied.
The second way is (after redirecting to TLS) to send the following HTTP header to the client:
Strict-Transport-Security: max-age=15552000The max-age parameter indicates the time in seconds during which the browser will establish a connection with the server exclusively via TLS. The minimum value is 10886400 (18 weeks).
Support in Internet Explorer and Microsoft Edge
HSTS support in Internet Explorer was announced on February 16 for Internet Explorer in Windows 10 Technical Preview. HSTS supports both Internet Explorer 11 and Microsoft Edge (still under the name Project Spartan) in Windows 10 Insider Preview. With the June updates, this support was added to Internet Explorer 10 in Windows 7 and Windows 8.1.
Where to get SSL certificates?
There are plenty of options. For example, StartCom has a good offer, offering certificates for non-commercial websites for free.