HSTS approved as proposed standard
Posted on 04 October 2012.
The Internet Engineering Steering Group (IESG) has approved the HTTP Strict Transport Security protocol (HSTS) as a proposed standard, which means that we can look forward to it being ratified in the near future.

The HSTS is a web security policy mechanism that allows web servers to order browsers that connect to it or any of its subdomains to use a secure connection, and it does so via a HTTP response header field named "Strict-Transport-Security".

If a website has an active HSTS policy, the browser automatically modifies HTTP URLs into HTTPS ones before it tries to access the server, and if that is not possible, the user is presented with an error message and can't access the website.

HSTS is aimed at preventing cookie-stealing attacks and man-in-the-middle attacks that secretly strip the SSL from the connections, making them by default insecure (as demonstrated by Moxie Marlinspike back in 2009 at BlackHat).

The header is already deployed and implemented by several websites (PayPal, Etsy, Google Play, the DefCon website, and others) and browsers (Chrome, Firefox, Opera, etc, but not IE and Safari).

The draft of the standard is available here.





Spotlight

What can we learn from the top 10 biggest data breaches?

Posted on 21 August 2014.  |  Here's a list of the top 10 biggest data breaches of the last five years. It identifies the cause of each breach as well as the resulting financial and reputation damage suffered by each company.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Aug 22nd
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //