Recently the U.S. DotGov registrar announced that all U.S. government sites will be added to the HTTP Strict Transport Security (HSTS) pre-load lists on browsers. This is a very important step in ensuring that all access to U.S. government sites is completely secure.
Frequently, when a browser attempts to access an HTTPS website, it first attempts a plain, unencrypted HTTP connection. Once this attempt is done, then the connection is upgraded to HTTPS. This allows for some eavesdropping and provides an attack vector for man-in-the-middle (MITM) attacks. HSTS is a standard method of letting the browser know that the connection must be upgraded. To avoid a MITM attack when the first request is sent, browsers can have a list of domains that use HSTS. This is called HSTS pre-loading, and it basically skips any chance of using HTTP at all, making the entire process more secure.
The current process will take some time to complete, but all new .gov domains will be pre-loaded automatically from Sept. 1 of this year. Older applications still have some time to comply with this change.
Since the start of the current massive work-from-home movement, we’ve been seeing many organizations going through this change. A lot of older applications that have been running HTTP on the intranet have had to be forcibly HTTP-ized to allow external access. In some cases, this has been a relatively easy task because the application was newer. In other cases, though, admins have had to spend significant time trying to get these applications upgraded — either from plain-HTTP to HTTPS, or to use more secure versions of the TLS protocol (many of these applications topped out at SSLv3).
How Barracuda can help
Barracuda WAF and WAF-as-a-Service have many features that make life easier for such upgrades. With Instant SSL, they can quickly provide a secure HTTP frontend for these applications — including rewriting all outgoing links on the page to HTTPS. Incoming traffic is automatically rewritten to HTTP, and the backend application is none the wiser. For applications that are stuck on an older version of SSL/TLS, the WAF and WAF-as-a-Service can sit in front of them and provide a secure TLS 1.2/1.3 frontend.
For many HTTP applications, there is also the need to get a new HTTPS certificate before they can be upgraded. Both the WAF and WAFaaS automate this with Let’s Encrypt. Let’s Encrypt is a non-profit certificate authority that provides free HTTPS certificates. You can configure the WAF and WAF-as-a-Service to automatically generate the certificates required for your application and secure them with HTTPS.
The note from the DotGov registrar is a reminder that many applications still run on plain HTTP on the internet. A small number of them could possibly get by with HTTP, but most of them require an upgrade. If your organization needs to secure your web or API applications, Barracuda WAF and WAF-as-a-Service provide an easy way to upgrade them to HTTPS and block all kinds of application attacks. For a free 30-day trial, visit our website here. For a free vulnerability scan of your website, check out the Barracuda Vulnerability Manager.
Tushar Richabadas is a Product Manager for the Barracuda Web Application Firewall and Barracuda Load Balancer ADC. His current areas of focus are Cloud and automation. His prior roles ranged from leading networking product testing teams and technical marketing for HCL-Cisco. Tushar closely tracks the rapidly increasing impact of digital security and is passionate about simplifying digital security for everyone.