HSTS is a web security mechanism to prevent downgrade attacks, it’s a mechanism that allows a web server to instruct web browsers to only communicate with the server over SSL, so that all subsequent traffic is encrypted, even if a user attempts to visit an insecure link (the browser will ‘correct’ the user and request the secure site instead).
HSTS works by the server sending a header to the web browser, the header is:
Strict-Transport-Security: max-age=3153600; includeSubDomains
After receiving this header the browser will only communicate over SSL for the period specified in “max-age”. “includeSubDomains” is optional and will, of course, configure the browser to utilise HSTS for subdomains too!
The browser will automatically convert all HTTP:// links to HTTPS:// before a user clicks them and will ensure that no data is sent unencrypted. Additionally if the security of the connection cannot be ensured (for example due to an expired SSL certificate) it will block the connection, without allowing a way for the user to bypass the warning message.
Common browsers may come with a preconfigured list of domains to utilise HSTS with.
As the web browser may communicate with the web server before HSTS is set up an attacker may simple drop the header from the server’s response before it is viewed by the victim, however an attacker would need to be in the right place at the right time. Additionally, as the HSTS header specifies a timeout for the security mechanism it may be possible for an attacker to perform an attack by shifting the victim’s computer time, for example by sending false NTP packets.