Chrome's HSTS List

Last week I wrote about how I'm back to focusing on security, reliability, and bug fixes within Write.app. Well I'm very pleased to announce that we are officially part of Google Chrome's internal HSTS list. You can check out the official commit here. What does that even mean, you ask? Well it means that if you're using the latest version of Chrome, you'll automatically be taken to the SSL encrypted version of this site. Why is that special? Well normally it seems like you're taken straight to the SSL protected site anyway but you're actually not. Here's what really happens:

When you type in any website into your browser without adding the "http://" or "https://" in front of it, the browser automatically adds "http://" in front of the URL you've typed in. If the site you're trying to visit has HTTPS available then it's up to them to redirect you to the HTTPS version of the site. Most sites like Google, Facebook, and Write.app have this set up automatically but not all sites do this. But even with sites like Facebook and Google, without having HSTS enabled and/or not being on the HSTS list, there's room for an attacker to hijack your connection without you ever knowing. To understand how this happens you first need to know how a connection to a site like Facebook, Google, or Write.app happens:

Normally, it works like this...

  1. You type in "writeapp.me" into your browser

  2. You connect to Write.app for a split second over an insecure connection

  3. Write.app (or whatever other site you try) sees that you are trying to connect over an insecure line (plain http://) and automatically redirects you to the secure (https://) version of the site

  4. (Optional) If the site has HSTS enabled (like we do) we send a signal to your browser telling it that from now on, no matter what you type into the URL bar, it needs to automatically rewrite it so it uses "https://".

Normally, this setup is very secure. If step 4 is part of the mix then the connection is extremely secure. But there's still a catch! If you're connecting to the site for the first time then a hijacker can take over at step 3 and intercept everything you send to the site you're connecting to.

Anatomy of an attack

So how does that happen? Suppose you're connecting to the web on a public network like at a Starbucks or something. An attacker can be sniffing out web traffic, see you're trying to connect to Google, Facebook, or Write.app and intercept your connection. At that point, instead of you being directly connected to the site you thought you were connecting to, you're actually connected to the attacker but it ends up looking like the legitimate site. What the attacker is doing is intercepting your requests and passing them off as their own. So for example, let's say this happened to you while trying to connect to Write.app. You'd click a link to go to the Note Manager page and the attacker would see that, stop the message from reaching us, then send us the exact same request while pretending to be you. We'll end up sending your entire list of notes back to the attacker and he or she will then forward them on to you as if nothing funny is going on. But in reality they're keeping a copy of everything you send or receive from us.

How can you protect yourself completely?

Well, when it comes to security, there is no 100% secure anything however when it comes to HSTS the chances you'll be affected by this sort of attack is slim at best and with our addition to Chrome's internal list of HSTS enabled sites, we're about as close to 100% secure as it gets when it comes to SSL stripping attacks. If you browse the web using Google Chrome or Chromium you get all of our on-site protection plus Chrome's added security by way of it's HSTS list.

Being on this list means that your browser automatically connects to https://writeapp.me no matter how you enter it in and without being told. Now, remember this only applies to Chrome and Chromium as they are the only browsers that currently offer this functionality. This means you can enter any of the following into Chrome and it'll automatically correct it for you without us having to redirect you -

Those will always be rewritten as "https://writeapp.me" in Chrome. I'm really happy to have been added to the list but the truth is anyone can get on it. If you own a site and require SSL connections, email the Chrome team and they'll be happy to add you to the list. It's surprising more sites haven't been added as they offer to do this free. All you need to do is get in touch.

So now you can connect to Write.app with even more confidence knowing that not only have we implemented HSTS but we're on Chrome's internal list too.

More notes