HSTS approved as proposed standard

The Internet Engineering Steering Group (IESG) has approved the HTTP Strict Transport Security protocol (HSTS) as a proposed standard, which means that we can look forward to it being ratified in the near future.

The HSTS is a web security policy mechanism that allows web servers to order browsers that connect to it or any of its subdomains to use a secure connection, and it does so via a HTTP response header field named “Strict-Transport-Security”.

If a website has an active HSTS policy, the browser automatically modifies HTTP URLs into HTTPS ones before it tries to access the server, and if that is not possible, the user is presented with an error message and can’t access the website.

HSTS is aimed at preventing cookie-stealing attacks and man-in-the-middle attacks that secretly strip the SSL from the connections, making them by default insecure (as demonstrated by Moxie Marlinspike back in 2009 at BlackHat).

The header is already deployed and implemented by several websites (PayPal, Etsy, Google Play, the DefCon website, and others) and browsers (Chrome, Firefox, Opera, etc, but not IE and Safari).

The draft of the standard is available here.

More about

Don't miss