Lacking HSTS is not really "Mediocre"

[lgarron]

For example, Pinterest has a green checkmark for everything but HSTS. (Their SSL Labs grade is a B, but HTTPS Watch doesn't seem to care about SSL specifics).

But their search engine results (#62) results are HTTPS and they redirect to HTTPS – so it's likely that most (many?) users are following HTTPS URLs to pinterest.com now.

(That said, I happen to think HSTS is an excellent measure, and the most practical "final step" for sites to secure themselves until HPKP is ironed out. I help maintain the preload list. ;-)

[konklone]

When HTTPS is on and a redirect forced, HSTS is so easy to add that I think the pressure to add it is a good thing. Not to mention that for major social media sites like Pinterest, people type in the URLs all the time, which opens up an attack window and leaks otherwise-secure cookies over the wire during the redirect.

So the ROI seems pretty high. If it wasn't soooo easy to add, I'd agree. (HPKP, on the other hand, is valuable protection against active attacks, but is real work to pull off).

[lgarron]

While switching to HTTPS can break stuff, turning on HSTS can break more stuff.

Right now, an improper HTTPS switch can cause issues for your users that you can't monitor without the CSP report-uri directive. As browsers clamp down on mixed content, HSTS will steadily become more strict, with no click-through workaround (e.g. SSL error pages, HTTP scripts on HTTPS pages) for users who desperately need to use a site. This makes things even harder to debug, and will make users significantly angrier than staying on HTTP.

[lgarron]

I agree that typing in the domain directly is a problem, but:

• remarkably many users don't do that (they user search and bookmarks), and
• depending on the autocomplete mechanism they use, it might go to the HTTPS landing page they used before.

That said, I just typed pinterest.com into a new Chrome profile, and it still did an uncached insecure redirect the second time.

If a site already does everything else right, HSTS mainly protects users with very hostile ISPs/governments. Very few of coffeeshops and WiFi hotspots should be running SSLStrip or using fake certs. (But if active tampering on should-be-HTTPS sites is more common than I think, I'd love to know.)

I hope it's clear I think every site should strive to deploy HSTS, but I think it's not fair to downgrade a site to an orange "Moderate" warning just because they don't use HSTS. I'd rather see something like a distinction between "good" and "excellent" (like SSL Labs offers an A+ for getting all the details right).

[konklone]

I'd rather see something like a distinction between "good" and "excellent" (like SSL Labs offers an A+ for getting all the details right).

That'd be just fine too. My main point is that HTTPSWatch picks its battles (UX-wise and engineering-wise) with what tech standards to track and factor in, and factoring in Strict Transport seems very wise. Whether that's a carrot or a stick is less important.

I want to add that there is a non-technical but very important impact of Strict Transport, especially the effect of the preload list (which requires includeSubDomains for most sites), which is that it forces site owners to take stock of their network architecture and fill gaps where SSL has not been available. Part of my day job for the last couple months has been working with various site owners to get their site into the preload list. As you say, it involves more work than it might seem, but that level of audit is very beneficial.

[SecureUtah]

I mulled over changing the rating method for a few months while I worked on my forked version and finally decided to keep Mediocre for websites whose only failing was missing HSTS.

I initially thought about changing Mediocre to something less judgmental, such as Needs Work, or implementing a tiered system as in #52. But then I decided that since HTTPS can be stripped by a MITM attack and if HSTS (plus preloading) is all that's keeping that from happening, then a website shouldn't be rated Good unless HSTS is present.

To help visitors understand why HSTS is important I added a link to https://https.cio.gov/hsts/ next to the warning line HTTP Strict-Transport-Security header is not set so that they could find out more about HSTS right away. That link (props to @konklone) is the best and simplest explanation I've found so far.

I also added this to my About page to explain my reasoning:

Missing HSTS = Mediocre

Many of the sites that receive a Mediocre rating are only missing the HTTP Strict-Transport-Security header and have otherwise good HTTPS. The HSTS header is a vital component of helping visitors reach a website securely. Implementing HTTPS is not something that should be done piecemeal - without HSTS it is still possible for an attacker to intercept web traffic and prevent users from connecting over HTTPS. Thus, websites will not be rated Good unless they include HSTS.

Please read more about the importance of using HTTP Strict Transport Security:

Troy Hunt illustrated how he strips HTTPS from websites that are missing HSTS. Netcraft revealed how 95% of HTTPS websites lack HSTS, allowing MITM attacks. Including HSTS is part of the White House OMB's requirements for federal websites. Mozilla's guide for web developers provides further details for implementing HSTS.

[lgarron]

I mulled over changing the rating method for a few months while I worked on my forked version and finally decided to keep Mediocre for websites whose only failing was missing HSTS.

HSTS has gone more mainstream over the past year. I think this is now a reasonable policy.

[benjaminp]

@SecureUtah, I like that explanation a lot, so I went ahead and copied it over to HTTPSWatch.

Seems we can close this issue out.