Browse archive

Latest news

Experts highlight top data breach vulnerabilities

NYPD detective accused of hiring email hackers

Guantanamo cuts off Wi-Fi access due to OpGTMO

Why BYOx is the next big concern of CISOs

Free tool repairs critical Windows configuration vulnerabilities

IT pros focus on cloud security, not hype

Blue Coat to acquire Solera Networks

APT1 is back, attacks many of the initial U.S. corporate targets

Aurora attackers were looking for Google's surveillance database

U.S. DOJ accuses journalist of espionage

A closer look at Mega cloud storage

Find TrueCrypt and BitLocker encrypted containers and images

The CSO perspective on healthcare security and compliance

Hacking charge stations for electric cars

HSTS approved as proposed standard

Posted on 04 October 2012.

The Internet Engineering Steering Group (IESG) has approved the HTTP Strict Transport Security protocol (HSTS) as a proposed standard, which means that we can look forward to it being ratified in the near future.

The HSTS is a web security policy mechanism that allows web servers to order browsers that connect to it or any of its subdomains to use a secure connection, and it does so via a HTTP response header field named "Strict-Transport-Security".

If a website has an active HSTS policy, the browser automatically modifies HTTP URLs into HTTPS ones before it tries to access the server, and if that is not possible, the user is presented with an error message and can't access the website.

HSTS is aimed at preventing cookie-stealing attacks and man-in-the-middle attacks that secretly strip the SSL from the connections, making them by default insecure (as demonstrated by Moxie Marlinspike back in 2009 at BlackHat).

The header is already deployed and implemented by several websites (PayPal, Etsy, Google Play, the DefCon website, and others) and browsers (Chrome, Firefox, Opera, etc, but not IE and Safari).

The draft of the standard is available here.