Security for the Web

Security Thoughts for Start-ups

2013-05-30T14:30:00.000-07:00

Last night I spoke at the SFNewTech event "How To Avoid Online Security Headaches" along with a great group of speakers:

Joe Sullivan, Chief Security Officer of Facebook
Michael Coates, Director of Security Assurance at Mozilla
Mark Risher, CEO/Founder, of Impermium
Deron McElroy, Director of Regional Partnerships, Cybersecurity and Communications (CS&C) at U.S. Department of Homeland Security (Invited)
Dan Goodin, IT Security Editor at Ars Technica (Moderating)

The format included a brief 10 minute introductory presentation from each person. My slides are available on slideshare and embedded below. This is clearly not the entirety of what you should consider about security. Instead. the intention was to provide a 10 minute crash course to raise awareness of key items that deserve consideration.

Sf startup-security from Michael Coates

-Michael Coates - @_mwc

Avoiding the Security Gate

2013-05-07T03:00:00.000-07:00

The worst place for a security program is to be a gate at the end.

What happens in organizations where security is seen as the final hurdle in order to launch a new service or feature? Security becomes the enemy. The development team has toiled for months to create and build the new code. They're over budget, over worked, over schedule and all they want to do now is launch. But one thing stands between them - the nod from the security team.

In this scenario the developers don't care about security. They have no interest in best practices, least privilege or layers of defense. All they want is the green check that means there code is shipped to the world.

This is not to say that developers don't care about security - in fact, I'd argue they very much do care. Instead, this is a reflection of a poorly built system that places one team in a position of superior control and results in the natural level of frustration and animosity.

If this sounds like your organization then you've done something wrong.

Over the next several posts I'll talk about avoiding the security gate and building an effective security program. We'll explore the following topics, and maybe more.

Team structures for security
Pushing security left
Inverting the scanning model
Operating at scale

Stay tuned for more...

-Michael Coates - @_mwc

OWASP Talk at RSA Well Received - Audience Feedback

2013-04-22T11:10:00.001-07:00

This year I presented for OWASP at RSA. The talk was titled Security: Looking Forward - Protecting Critical Applications with OWASP

About 100 people attended (filled the room) and a quarter of the attendees submitted feedback. Happy to see the talk was well received.

-Michael Coates - @_mwc

Speaking at RSA for OWASP

2013-02-21T18:46:00.005-08:00

I'll be speaking at RSA 2013 on behalf of OWASP. Hope to see you there.

Friday, March 1
10:20 AM - 11:20 AM
Room 123

Security: Looking Forward - Protecting Critical Applications with OWASP

Top 10 application security risks, free online security training, advanced application security testing tools, guidance on secure development lifecycle – these are all free resources produced by the OWASP open source community. Join this session and find out how to support and leverage the OWASP organization to help the fight for secure applications!

--

Also make sure to check out Jerry Hoff and Jim Manico's 4 hr seminar on Approaching Secure Code/

Monday, February 25
1:00 PM - 5:00 PM
Room 132

OWASP-001 - OWASP: Approaching Secure Code – Where do I Start? (Half Day)

Regardless of your chosen/mandated framework for building web applications: Spring, Struts, Rails, PHP, Python, etc., you want to make your life easier, and potentially less embarrassing. Don’t be the one who left the door open for hackers. Learn handy tips from one of the world’s leading AppSec experts. Recommended for: Developers (dev managers welcome, assign people from your team to attend). Bring yourself, no materials required.

-Michael Coates - @_mwc

Leading Change in an Open Organization

2013-02-21T18:38:00.000-08:00

Below is an email I recently sent to the OWASP leader's list. I think this perspective applies to many open source projects.

(Minor corrections for typos.)

---

We had a lively debate of various points this week. The actual issues aside, I’d like to provide some perspective on leading change.

The takeaway from the heated discussion was:
1. Some people feel X is bad
2. Other people feel X is fine
3. Some people feel some small tweaks would have made X better

There was some good civil discussion, some shouting occurred, accusations were thrown around, and in the end the issue slowly fell away.

What were the results of this conversation?
1. Some people felt better to share their thoughts on an issue
2. Other people were likely offended from accusations
3. A list of several hundred people watched the back and forth
4. We ended where we started – this may be because our current stance is acceptable or because our approach to initiating change was poor

My two cents on how to lead effective change at OWASP
Keep the stones you are about to throw in your pocket. Use those stones to build a bridge.

* Change happens when people evaluate a situation, receive a variety of feedback, and build consensus around a path forward
* Assume good intent – everyone is putting in countless hours of time, when situations get close to the grey zone, let’s assume good intent and act as a team
* Apply change in a forward-looking fashion. Most people are happy to get on board with an approach that is well thought out, socialized with the community, and better for OWASP.
* Look at issues holistically. If the whole forest is on fire, it doesn’t do any good to pick a single tree and focus on that. Look at the overall incentive structure, and the public guidance – we likely need to rethink the overall program.

How does this manifest at OWASP?
Do you think X, Y, or Z can be better? If so, start a global initiative and get some people involved from various perspectives (for and against, various vantage points/backgrounds). Evaluate the situation and consider the various incentives at play.

Is this red tape? Not really, you’re free to approach the problem however you choose. But please consider this advice as you drive to lead change in an organization that spans the world, is completely open and volunteer driven, and is trying to fundamentally change knowledge sharing around an area that many people don’t understand.

-Michael Coates - @_mwc

The Safest Car Possible Provides No Safety

2013-01-24T18:24:00.000-08:00

Let's design the safest car on the market. Not just a 5 star safety rating safe, but the absolute safest. Our goal will be to prevent a death from ever happening with this car. We'll fight vehemently for every safety control and block any feature that doesn't provide the highest degree of safety. After all, we know how to design safety controls for nearly every potential risk.

What kind of car would we get? Well, it certainly would be the safest. But it probably also wouldn't move past 20 mph since high speeds create risk. The doors would have foam on the edges since people often hit themselves when opening it. Don't even think about windows that roll down, people often loose limbs by hanging their arms out into the fresh air. But, fear not this would be the safest car around and experts will applaud its extreme safety.

Now that we have a safe car let's ask ourselves this question, are drivers actually safer? No, because no one will buy the car. It may be safe, but the car can't compete in terms of expected features and normal usability. Since no one is using the car, the level of safety of drivers remains unchanged. They all still use the same cars designed by competitors with varying degrees of safety.

In order to be disruptive in a particular market on safety you have to first ensure you car is competitive on all other fronts. Only then can you focus efforts on excelling on safety. In addition, design decisions that unilaterally prioritize safety over basic and expected use cases and features must be rethought.

Is this to say that safety must be deprioritized in order to build a competitive car? Absolutely not. In fact, safety can be used as an amazing differentiator. Get the best and brightest safety engineers and approach safety in new ways. You could very well build a car that can do amazing things while still being safe. Tackle new crazy features that drivers would love to have in their car but no one else can figure out how to design safely. Combine tried and true safety knowledge with new and creative approaches to safety that pass comprehensive testing. This is how you can win on safety and build a car that will protect drivers - because they actually want to buy it.

Don't build a car that no one buys. You aren't protecting anyone.

-Michael Coates - @_mwc

SC Magazine's - Influential IT Security Minds in 2012

2012-12-03T09:33:00.002-08:00

I'm honored to be included in SC Magazine's Influential IT Security Minds of 2012. The security field is an amazing place to work that is constantly changing, challenging in many different ways and always keeps you on your toes. I enjoy the days I spend working at Mozilla and the evenings spent working with OWASP. In both organizations I love the opportunity to share our security ideas, tools, techniques, and more with the world. The power of collaboration and community is truly amazing.

SC Magazine's 2012 list includes:

Valerie Aurora and Mary Gardiner

Michael Coates

Gabriella Coleman

Ron Ross

Chris Soghoian

-Michael Coates - @_mwc

EFF Demystifies E-Book Readers Data Tracking

2012-11-29T19:29:00.000-08:00

The EFF just posted a great breakdown of various E-book readers and their tracking/data collection policies. This summary addresses items such as:

Can they (the manufacturer) keep track of searches for books?
Do they keep a record of book purchases?
With whom can they share the information collected in non-aggregated form?

I certainly commend the EFF for pulling together this information. However, I'd really like to see user and industry expectations progress to the point where this kind of data is considered a requirement and is clearly provided by the manufacturer whenever an e-book reader is launched.

From the EFF.org article

Unfortunately, unpacking the tracking and data-sharing practices of different e-reader platforms is far from simple. It can require reading through stacked license agreements and privacy policies for devices, software platforms, and e-book stores.

Lastly, data rights on e-book readers is not just a topic for privacy enthusiasts. We've seen real world actions that are surprising to say the least. For example, the 2009 incident where Amazon suddenly removed George Orwell's "1984" and "animal farm" from many users' kindle devices.

-Michael Coates - @_mwc

Bug Bounty Panel @ OWASP AppSecUSA

2012-11-26T03:00:00.000-08:00

During the 2012 OWASP AppSecUSA we held a panel on bug bounty programs. Below you'll find the video of the panel.

Panel moderator: Jeremiah Grossman
Panelists:
Michael Coates (Mozilla)
Chris Evans (Google)
Adam Mein (Google)
Alex Rice (Facebook)
Zane Lackey (Etsy)

Bug Bounty Programs - Michael Coates, Chris Evans, Jeremiah Grossman, Adam Mein, Alex Rice from OWASP AppSec USA on Vimeo.

Bug Bounty Programs- Panel - Moderated by Jeremiah Grossman from David Hughes on Vimeo.

-Michael Coates - @_mwc http://vimeo.com/channels/appsecusa/54130349

4 OWASP Videos You Should Watch

2012-11-08T15:02:00.001-08:00

Curious about OWASP? Want to learn more? Here's a few quick videos about OWASP and a video from the OWASP AppSecTutorial series.

Newly elected board member Jim Manico talking about OWASP
Former board member Jeff Williams on OWASP
Episode 4: HTTP Strict Transport Security - 10 minutes to learn a security topic from the OWASP AppSecTutorial Series
OWASP AppSec Trailer - Just like a movie preview!

Enjoy!

-Michael Coates - @_mwc

Web Security Training with OWASP ZAP

2012-11-06T03:00:00.000-08:00

Just a few weeks back I presented at Beaver Bar Camp in Corvalis, Portland. I provided an introduction to web security with OWASP Broken Web App VM and OWASP ZAP. Students learned about common application security vulnerabilities and secure design patterns.

The training lab included the following components and I distributed it to students via USB drives:

Slides and setup instructions are available at the following link:
http://people.mozilla.org/~mcoates/WebSecurityLab.html

-Michael Coates - @_mwc

HTTP Strict Transport Security - Growing Support

2012-11-05T17:51:00.000-08:00

HTTP Strict Transport Security will soon be taken to a new level within Mozilla Firefox
Read more about HSTS preloading from this article by David Keeler.

If you're unfamiliar about HSTS then you should definitely watch this short video from OWASP on the benefits. This video is from the OWASP AppSec Video Tutorial Series

-Michael Coates - @_mwc

OWASP Security Blitz Continues - May is Cross Site Scripting

2012-05-07T02:00:00.000-07:00

Last month we started the monthly OWASP security blitz. We have a new month and a new topic. The blitz topic for May is Cross Site Scripting. There is also an OWASP wiki page were we're tracking the submitted stories, links, and more. The wiki page also has the topics for the next few months.

As a final note, I love one of the submissions from April on SQL injection - informative and funny!

-Michael Coates - @_mwc

OWASP Security Blitz

2012-04-03T07:49:00.001-07:00

[Originally posted at http://owasp.blogspot.com/2012/04/owasp-security-blitz-april-injection.html]

OWASP is starting a monthly security blitz where we will rally the security community around a particular topic. The topic may be a vulnerability, defensive design approach, technology or even a methodology. All members of the security community are encouraged to write blog posts, articles, patches to tools, videos etc in the spirit of the current monthly topic. Our goal is to show a variety of perspectives on the topic from the different perspectives of builders, breakers and defenders.

Today I'm happy to kick off our first month of the OWASP Security Blitz with the topic of:
Injection Attacks - SQL Injection

Please tweet your contributions with hashtag #OWASP and also add a comment to this post with a link to the material.

At the end of the month we will gather the new articles and include a summary in an upcoming OWASP newsletter. We may even hold a small vote to determine the best contribution of the month.

Let's start the rally!

-Michael Coates - @_mwc

A Lesson in Predictable Identifiers

2012-03-16T23:50:00.002-07:00

Authorization can be a fickle thing, especially when you want to perform authorization without performing authentication immediately beforehand. The situation I'm speaking of came front and center for Oink as they created an export tool to allow users to download their data.

The export tool worked as followed:

User logs in and begins export process
User receives an email with a link to download their data
User visits link within 48 hours and obtains all their data

above image and original report from (cristina cordova)

The problem occurs in step 2 with the created link. In this situation the link was predictable. The link was built in the format of "<username>-export.zip". So, if you have a list of usernames (perhaps you were able to perform a username enumeration attack on the site or just guessed usernames based on the naming pattern) then you could script the requests to download everyone's data.

There is one caveat to consider, the victim account must have activated the export tool and the attacker must attempt their attack against the particular victim within 48 hours.

I should state that the oink site was designed with all user data as publicly accessible, so this isn't exactly a major data breach. However, even when the data is technically already public, an issue like this can still cause surprise to users and cause them to question overall data handling and impact site reputation.

How could this system been designed better?
There are a few options that can be considered:
1. The URL should contain a large random nonce. This approach would prevent an attacker from easily guessing a valid URL.
2. Force the user to authenticate before the download starts to ensure it is the authorized user for the requested data.

Let's assume option #2 wasn't a valid design choice due to other factors (cause it's really the simplest way and there must have been some reason they didn't pick it). Is option #1 on its own enough? If the nonce is large enough then the answer is yes.

Why is a large nonce good enough?
Sure, you can attempt to brute force any nonce values in hopes of finding a valid value. But if these tokens are sufficiently large and short lived, you really don't have a chance. Remember we happily rely on large nonce values as session IDs for every authenticated transaction. If it was realistic to brute force a valid session ID then attackers would simply do that and not worry about trying to compromise users, applications, or the browsers.

-Michael Coates - @_mwc

Security 101 OWASP Community

2012-03-13T02:00:00.000-07:00

A few weeks back I posted a thread in the OWASP leaders community regarding several security talks I'd presented at various developer groups. The talks individually went great, but I left with a feeling that I'd missed an opportunity to establish a continued method of interacting with the new group. We'd covered lots of new security topics and there would mostly likely be continued questions or discussion over the coming days.

In response we've now created security101@lists.owasp.org. This OWASP mailing list has been created with the specific purpose of helping individuals new to security with basic security questions. The goal is to have a place where any type of new security question could be asked. The answer could be a brief explanation of security concepts or perhaps a link to existing OWASP material or presentations on the topic. And if we don't have OWASP material available, that's a good indication we've got a gap to address.

So, if you're new to security and have a question, please jump in. If you've got some cycles to help out we need you too.

https://lists.owasp.org/mailman/listinfo/security101

-Michael Coates - @_mwc

Security for a Greater Good

2012-02-03T17:26:00.000-08:00

I'm very excited to be helping Ushahidi build a security group to enhance the security of their software. Ushahidi describes itself as the following:

We are a non-profit tech company that develops free and open source software for information collection, visualization and interactive mapping.

However, this organization is far more than just a tool for information mapping. If you talk with anyone involved, or just read their about page, you'll quickly find out that this organization is developing tools that can be used to bridge the gap between technology and human crisis reporting.

Working with Ushahidi is a rare opportunity to use our technology and security skills to protect the well-being of individuals that are attempting to report oppression or violence against their fellow citizens.

If you're part of the Mozilla or OWASP community then keep an ear out. As we formalize our approach we'll be reaching out to these technology and security communities looking other volunteers that are interested in contributing their security skills to this project.

-Michael Coates - @_mwc

Security & Health Care Startups

2012-02-03T09:44:00.000-08:00

Two weeks ago I had the opportunity to speak at Rockhealth's Health Innovation Summit held here in San Francisco. This was a great conference that brought together many developers and health care tech startups that are looking to revolutionize the way health care is managed throughout the US and the world.

I led an application security workshop where participants where able to setup a virtual testing environment on their laptop and understand critical web application security vulnerabilities through hands-on hacking exercises. We covered topics such as cross site scripting, access control, cross site request forgery and sql injection. We had a few minutes left over and even jumped into clickjacking too.

The lab used the OWASP BWA virtual machine and we focused on the OWASP Webgoat security learning software. My slides are currently built with screenshots using burp proxy, but I'll be updating those soon to switch over to OWASP ZAP Proxy.

The event was fantastic and there was a lot of positive feedback and great questions during and after the workshop. I'm working with representatives from rock health to identify other ways that OWASP can continue to participate in their developer meetings in the future.

Slides and instructions for setting up the lab are online here.

-Michael Coates - @_mwc

How Would You Change App Store/Market Permission Models?

2012-01-06T10:01:00.000-08:00

In a shift from my normal informational type posts, today I'm interested in starting a discussion on the topic of App Markets/Stores.

Apple has a more rigid review process and a slower time to market for Apps. Google allows apps quickly to market and relies on the visibility of requested permissions and shifts security decisions to the users. (Very basic descriptions, there are many more moving parts)

Which model is working better? If you could make changes to either model, what would you change?

Interested in thoughts and ideas.

-Michael Coates - @_mwc

Free Application Security Training Course at Beaver BarCamp 3

2011-10-03T03:00:00.000-07:00

At the end of October I will be hosting a free web application security training course at Beaver BarCamp 3. The conference will be held on Saturday, October 29 from 10am to 6pm at Oregon State University. Beaver BarCamp is free and open for anyone to attend!

What is this barcamp conference?

BarCamp is an ad-hoc gathering born from the desire for people to share and learn in an open environment. It is an intense event with discussions, demos and interaction from participants who are the main actors of the event. — barcamp.org

The list of events aren't fully published yet, but you can take a look at last year's agenda to get an idea what type of topics may be discussed at the conference.

Hope to see you there.

-Michael Coates - @_mwc

Article Published: Creating Attack-Aware Software Applications with Real-Time Defenses

2011-09-13T07:30:00.000-07:00

CrossTalk, The Journal of Defense Software Engineering, has just published our article "Creating Attack-Aware Software Applications with Real-Time Defenses" in the September edition. A huge kudos to the entire team and especially Colin Watson for leading this effort.

Authors:

Colin Watson @clerkendweller
Michael Coates @_mwc
John Melton @carosec
Dennis Groves @degroves

Abstract. Attack-aware software applications provide attack detection and real-time defensive response with a very low false-positive rate. This technique allows an application to detect and neutralize a threat before the attacker exploits a known or unknown vulnerability. The approach is especially suited to soft-
ware applications with high information assurance requirements such as in the defense, critical national infrastructure, and financial service sectors to protect against cyber espionage, fraud, business logic abuse, tampering, and theft. The Open Web Application Security Project (OWASP) has developed a methodology, documentation, code and pilot demonstration which can be freely used to apply the concepts; this project is called AppSensor.

Full Article (pdf)

-Michael Coates - @_mwc

Joining OWASP Board

2011-08-18T17:35:00.000-07:00

The 2011 OWASP elections have concluded. I'm thrilled to have the support and backing of the OWASP community as they've voted me to one of the three board positions.

For readers of my blog that aren't already aware of OWASP, this is a worldwide non-profit & open source organization with the mission of improving the state of application security. This translates to an incredibly talented group of security experts all working towards a common good.

Open source, free from corporate control, free to the world - what more could you ask for?

I've been a long time OWASP supporter, have led and contributed to several projects, spoken at numerous conferences in the US and Europe and now I am excited to continue advancing the mission of OWASP through my efforts on the board.

I'd love to hear people's goals and ideas for OWASP. But as a volunteer community that empowers everyone, I'd more like to see you take those ideas and run with them! OWASP is a community of action and on the OWASP board I will work to empower individuals around the world with the resources, audience, and tools that are needed to continue producing top notch security materials.

Take a moment and help contribute to the OWASP mission.

How can you help?

Start or join an OWASP project
Expand the OWASP wiki
Become a member
Attend the next OWASP Conference
Stop by at your local chapter meeting
Participate on the email lists or the community site

-Michael Coates - @_mwc

Hiring Response to Recent Attacks Is Misguided

2011-08-12T10:26:00.001-07:00

Sadly the response to security compromises in the news seems to be a push to buy more firewalls. Firewalls provide no defense against application security attacks. The article below reminds me of a great chart by Gunnar Peterson

According to the barclay interim report which is also being referenced in stories on CSOonline.com

The increase in electronic attacks has had a direct impact on the demand for network security professionals. Companies are now strengthening their network security infrastructure. There is an increase in demand for firewall experts with qualifications in Juniper and Checkpoint and for security practitioners with experience of configuring IDS/IPS systems. As the year progresses those who have specialised in network security will be more highly sought after which will increase rates for permanent and contract candidates alike.

If you read through the barclay report you'll notice they are specifically referring to the following high profile events:

Attacks against:

Visa, Amazon, MasterCard and PayPal
The multiple Sony compromises
Nintendo, RSA SecurID, Gmail and CitiBank

Some of these were distributed denial of service attacks, but many were application specific attacks that resulted in the compromise and data disclosure. If the concern is SQL injection and application security, then invest in your SDLC and look for application security experts. No amount of firewalls will help this issue.

Now, don't get me wrong. We still need firewalls and many network security experts. They provide invaluable security services. Just make sure your strategy is actually addressing the problem you are attempting to solve.

-Michael Coates - @_mwc

OWASP 2011 Elections - Vote Now

2011-08-08T15:49:00.000-07:00

The voting is now open for the OWASP 2011 elections. I've been a passionate supporter of OWASP for years, a leader of multiple OWASP projects, a speaker at the conferences and am excited about the possibility of joining the OWASP board.

Please read more about my background and my vision for OWASP. You can also listen to the board candidate interviews. Here is the link to the OWASP 2011 elections wiki page with all the info.

Watch your email for the voting link and thanks for your support.

My Vision For OWASP

Technology is changing at a rapid pace and security plays a vital role in the technology ecosystem. Security should not be seen as a blockade to innovation; instead, security can be leveraged to allow our technology to do more than we ever realized. OWASP is well poised to provide the advanced security knowledge, tools and training to empower companies to integrate security as a product differentiator and impetus for technology advancement.
My vision for OWASP includes a board that creates opportunities and acts as a catalyst for OWASP projects and the advancement of the OWASP mission. OWASP is powerful because of the massive expertise that we contain from all of our contributors around the world. I believe that the OWASP board should provide the necessary resources, technologies, funding and support for OWASP contributors to be successful in growing security technology, addressing security challenges and sharing these skills with the world.
In addition, I feel the OWASP board should work to help OWASP identify key challenges that should be focused upon in a planned period of time. The combination of addressing an identified security challenge and continued support for individual project growth will allow OWASP to both leverages our collective expertise and also support organic individual project growth. I believe this two-pronged approach will allow OWASP to continue to grow and create world-class security resources.
The following areas are key positions that I hold and represent the direction I wish to pursue on the OWASP board:

Breaking out of the Echo Chamber: OWASP should focus on working with people that have never heard of OWASP before. I plan to build the necessary presentations, tools and funding to get OWASP members at college campuses and developer conferences to teach OWASP materials.

Funding: OWASP is a non-profit and is powered by our mission and our volunteers. However, we can do more if we have the necessary resources to dream big. I plan to pursue grants and funding that enable OWASP to do more to spread our knowledge and advance our mission.

Integration with Enterprises: As a security professional employed at a major technology company I wish to further expand OWASP's involvement with corporate entities to address the core risks and challenges they are facing. This involves sitting down with these industries through our global committees and identifying their needs and how we can help meet them.

Community and Open: I strongly believe in the O in OWASP. Like the web, security should be open and available to all. The power of OWASP lies in the individuals that donate their time and skills. I plan to grow our community and identify ways we can further strengthen the worldwide community.

-Michael Coates - @_mwc

Enhancing Secure Communications with Strict Transport Security

2011-07-11T07:36:00.000-07:00

New security capabilities in Firefox, Chrome and several other browsers enable web applications to create a more secure browsing experience with users.

Summary

HTTP Strict Transport Security (HSTS) is an opt-in security enhancement that is specified by a web application through the use of a special response header. Once a supported browser receives this header that browser will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS.

Background & Details

As an application owner one of your goals, in addition to providing an exceptional experience to the user, is to provide a secure interaction with your web application that protects any data submitted by, or sent to, the user. However, during the user's interaction with the web application the user may be targeted by malicious parties that are attempting to compromise the confidentiality or integrating of the browsing session. Their goal may be to view the sensitive data that is transmitted between the user and the application or possibly modify the exchanged data to install malicious viruses on the end user's machine or trick the user to insecurely provide their credentials so the attacker can steal this information.

The primary defense mechanism to protect data exchanged between the user and the web applications is to allow users to interact with their web application over Secure HTTP (i.e. HTTPS). When properly configured HTTPS establishes a secure channel between the user and web application which guarantees the data cannot be read, modified, or replayed by a third party. However, there are many situations where a web application has been incorrectly designed which invalidates these guarantees and places the user at significant risk to these man-in-the-middle attackers. (See TLS Cheat Sheet)

Recent security enhancements to Firefox and Chrome now allow websites to instruct the end user's web browser that the specific website should only be accessed over HTTPS. In other words, the website now has the power to instruct the user's browser to not send any insecure communications to the website's domain. This is accomplished by a new feature called Strict Transport Security.

Example of the HTTP Strict Transport Security header
HSTS is enabled by an additional response header set by the web application

Strict-Transport-Security: max-age=60000

HSTS Eliminates Certificate Error Messages and User Override
HSTS is a specific opt-in security control that is enabled by a website for a specific domain. By enabling this control a website is saying that the user should only interact with this domain over a secure channel and similarly, never send any data over an insecure communication channel. Therefore, if the browser cannot validate that a secure channel has been established for any reason (e.g. expired certificate, domain mismatch, untrusted issuer) then no data will be sent by the browser and the user will receive an error page. Unlike the typical certificate error page that allows a user to accept the risk and continue, the HSTS error page does not allow a user to override the message. The logic behind this is that the website has specifically enabled HSTS and there should be no legitimate scenario that results in an invalid certificate.

Protecting Against Users Bookmarking HTTP or Typing HTTP to Reach Site
HSTS also protects against a common scenario that places users at risk with many HTTPS websites. A user that visits a website from a bookmark or search engine result may initially request the HTTP page for the site. Most sites will quickly redirect the user to the correct HTTPS page. However, this initial request and response is sent over clear text HTTP and could be tampered with by an attacker. If the user is not vigilant they could enter their credentials on a page that has been modified by the attacker to steal the user's information. HSTS eliminates this vulnerability by instructing the browser to "upgrade" the initial HTTP request to HTTPS before it leaves the browser. As a result the user only interacts with the site over a secure channel and never gives the attacker a chance to tamper with any of the exchanged data.

Who Should Use HSTS?
Sites that currently offer HTTPS access should strongly consider adopting HSTS. If there is any reason for offering a secure connection then it is prudent to ensure that users are able to leverage the increased security capabilities offered by HSTS.

More Information
More information can be found at the following links. In addition, two popular sites currently using HSTS include paypal.com and addons.mozilla.org. Check them out to see HSTS running live.

Wikipedia.org entry

MDN Docs for HSTS

-Michael Coates - @_mwc