HTTP Strict Transport Security becomes Internet standard

The technology to prevent some types of attacks against HTTPS connections is now mature, but adoption is low

A Web security policy mechanism that promises to make HTTPS-enabled websites more resilient to various types of attacks has been approved and released as an Internet standard -- but despite support from some high-profile websites, adoption elsewhere is still low.

HTTP Strict Transport Security (HSTS) allows websites to declare themselves accessible only over HTTPS (HTTP Secure) and was designed to prevent hackers from forcing user connections over HTTP or abusing mistakes in HTTPS implementations to compromise content integrity.

The Internet Engineering Task Force (IETF), the body responsible for developing and promoting Internet standards, published the HSTS specification as an official standards document, RFC 6797, on Monday. IETF's Web Security Working Group had been working on it since 2010, when it was first submitted as a draft by Jeff Hodges from PayPal, Collin Jackson from Carnegie Mellon University and Adam Barth from Google.

HSTS prevents so-called mixed content issues from affecting the security and integrity of HTTPS websites. Mixed content situations occur when scripts or other resources embedded into an HTTPS-enabled website are loaded from a third-party location over an insecure connection. This can be the result of a development error or it can be intentional.

When the browser loads the insecure resource it makes a request over plain HTTP and can also send the user's session cookie along with it. An attacker that can intercept the request using networking sniffing techniques can use the cookie to hijack the user's account.

The HSTS mechanism also prevents man-in-the-middle attacks, where the attacker is in a position to intercept a user's connection with a website and force his browser to access the site's HTTP version instead of HTTPS. This technique is known as HTTPS or SSL stripping, and there are tools available to automate it.

When the browser connects over HTTPS to a website that supports HSTS, the site's strict transport security policy is saved and remembered for a specified amount of time. From that point forward, as long as the cached policy doesn't expire, the browser will refuse to initiate insecure connections with that website.

The HSTS policy is transmitted through an HTTP response header field called Strict-Transport-Security. The same header can be used to update and renew the policy.

HSTS is one of the best things to have happened to SSL because it fixes some of the mistakes made when originally designing the protocol 18 years ago, Ivan Ristic, director of engineering at security firm Qualys, said on Thursday. It also addresses the changes that have occurred since then in how Web browsers operate today, he said.

For example, relying on certificate warnings was a big mistake because users developed a habit of ignoring and overriding them, Ristic said. In the majority of situations that's not a big issue, but in 1 percent of cases it can be dangerous, he said.

HSTS does not rely on certificate warnings. If a problem is detected with the HTTPS implementation, the browser will simply refuse the connection and won't offer users the opportunity to override the decision, Ristic said.

Even with HSTS enabled on a website, there is still a small opportunity for attacks when the browser visits the website for the first time and doesn't have an HSTS policy saved for it . At that point an attacker could block it from reaching the HTTPS version of the site and could force the connection to use HTTP.

In order to address this, browsers such as Chrome and Firefox come with pre-loaded lists of popular websites for which HSTS is enforced by default.

According to SSL Pulse, a project that monitors HTTPS implementations on the world's most visited websites, only around 1,700 out of the top 180,000 HTTPS-enabled websites support HSTS.

In addition to the overall HSTS adoption rate being low, some of the websites that do support the feature have implementation issues, Ristic said.

For example, some of them specify a very short validity period -- also known as the time to live -- for their HSTS policies. For HSTS to be useful these records should be valid for days, if not months, he said.

Ristic doesn't believe that HSTS becoming an official standard will necessarily drive adoption numbers up. Website operators have traditionally been opportunistic and have implemented whatever worked for them, regardless of whether it was a standard or not, he said.

"I think the biggest problem with HSTS is education," Ristic said. "People need to learn that it exists."

Popular websites that support HSTS at the moment include PayPal, Twitter and various Google services. Facebook is in the process of deploying always-on HTTPS across its website, but doesn't support HSTS yet.

Join the PC World newsletter!

Error: Please check your email address.

Tags Internet Engineering Task Forceonline safetysecurityAccess control and authenticationencryptionpaypaldata protectionpkiqualysprivacyGoogle

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?