HTTP Strict Transport Security (HSTS)

HTTP Strict Transport Security (HSTS) is an optional security feature that instructs a web browser to communicate with VTScada using only HTTPS. When enabled and the browser has communicated with VTScada over HTTPS once, the browser will refuse to make any attempt to communicate with that same domain (and sub-domains) in the future using plain text HTTP, requiring HTTPS instead.

Why use HSTS?

HSTS addresses threats posed by an attacker hijacking session cookies when User Agents (such as a browser or the VIC) use unencrypted communication. It does this by including an HTTP header requiring the User Agent to use HTTPS communication exclusively for a domain. Any attempt to communicate with the domain (or subdomains) using HTTP is refused by the User Agent. Your browser (or VIC) will refuse to make an attempt.

Enabling HSTS

HTTP Strict Transport Security is enabled and configured within the Realms tab of the Thin Client/Server Setup dialog. Refer to Configure a Realm

HSTS can be enabled only after all your realms and connection addresses are configured to use HTTPS. If you attempt to enable HSTS while there is still an HTTP connection configured, you will be presented with a warning message reminding you of this fact.

Maximum HSTS Age

HSTS causes User Agents to enforce HTTPS usage for a period of time (measured in seconds), which is known as the Maximum HSTS Age. A value of zero disables the feature. Note that once a User Agent has received an HSTS header with a non-zero Maximum HSTS Age over HTTPS (not over HTTP) it will apply the enforcement. Setting the HSTS Maximum Age back to zero has no effect on the User Agent until it receives the updated Maximum Age information over an HSTS connection. The HSTS Maximum Age defines the period of time since a User Agent last communicated with your VTScada server.

You therefore cannot simply set the HSTS Maximum Age to zero and switch from HTTPS to HTTP without taking manual action at the User Agent to turn HSTS off, because only User Agents that are connected to your VTScada server at the time you modify the HSTS Maximum Age will know about the change.

The HSTS Maximum Age can be configured on the Thin Client/Server Setup dialog. Note that the minimum setting for HSTS Maximum Age that will enforce HSTS is 7 days (604800 seconds). This is a restriction of Windows.

Reverting to plain HTTP communication

Should you wish to allow plain HTTP communication with your VTScada server when HSTS has been enforced, you can set the Maximum HSTS Age to zero in the Internet Client/Server Setup dialog and then allow a period of time for all systems using thin clients to communicate with the server in order to receive the instruction to remove their HSTS enforcement. Inevitably, there will be some systems that do not communicate with the server during this period of time. For those systems, you must manually reset them:

  • For Chrome/Edge, visit chrome://net-internals/#hsts (or edge://net-internals/#hsts for Edge). In the "Delete domain security policies" edit field, type in the domain you for which you wish to clear HSTS.
  • For Firefox, open the history window with the keyboard shortcut Ctrl + Shift + H. Find the site for which you want to delete the HSTS settings. Right-click the site from the list of items and click Forget About This Site. You will need to restart Firefox.
  • For the VIC, Open the Windows Control Panel, and select Internet Options. On the General tab, click the Delete button (Browsing history). Make sure that the option, "Temporary Internet Files" is selected and click Delete. Note that you do not need any other options selected on this dialog.
  • For Safari, quit Safari and then edit the file ~/Library/Cookies/HSTS.plist. Remove all entries for your server from that file. You may need to restart your device.

 

It is sensible to plan the introduction of HSTS enforcement by configuring a short HSTS Maximum Age initially so that any problems resulting from its use are short lived. For example, you could set an HSTS Maximum Age of 10 minutes so that a User Agent will turn off its HSTS enforcement 10 minutes after it last communicated with your VTScada server. The avoids having to tell the User Agent to forget about HSTS. After a time, you can increase the HSTS Maximum Age value. Commonly used values are in the range of one to two years, but you can set any value that is sensible in your situation.