HSTS approved as proposed standard
Posted on 04 October 2012.
The Internet Engineering Steering Group (IESG) has approved the HTTP Strict Transport Security protocol (HSTS) as a proposed standard, which means that we can look forward to it being ratified in the near future.

The HSTS is a web security policy mechanism that allows web servers to order browsers that connect to it or any of its subdomains to use a secure connection, and it does so via a HTTP response header field named "Strict-Transport-Security".

If a website has an active HSTS policy, the browser automatically modifies HTTP URLs into HTTPS ones before it tries to access the server, and if that is not possible, the user is presented with an error message and can't access the website.

HSTS is aimed at preventing cookie-stealing attacks and man-in-the-middle attacks that secretly strip the SSL from the connections, making them by default insecure (as demonstrated by Moxie Marlinspike back in 2009 at BlackHat).

The header is already deployed and implemented by several websites (PayPal, Etsy, Google Play, the DefCon website, and others) and browsers (Chrome, Firefox, Opera, etc, but not IE and Safari).

The draft of the standard is available here.





Spotlight

The Software Assurance Marketplace: A response to a challenging problem

Posted on 20 October 2014.  |  The Department of Homeland Security (DHS) Science and Technology Directorate (S&T) has recognized how critical the state of software security is to the DHS mission.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Tue, Oct 21st
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //