Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Low adoption rate of HSTS website security mechanism is worrying, EFF says

Lucian Constantin | April 8, 2014
Almost a year and a half after the HTTP Strict Transport Security (HSTS) mechanism was established as a standard, its adoption rate by websites remains low because developers are not aware of its benefits and Internet Explorer still doesn't support it, according to advocacy group the Electronic Frontier Foundation.

Microsoft did not immediately respond to a request for comment sent Monday, but the company's status.modern.ie website lists the HSTS feature as "in development."

One problem with HSTS is that it assumes the first ever connection from a browser to a HTTPS website is achieved securely, without a man-in-the-middle attacker interfering and removing the HSTS policy header. In order to partially mitigate this problem Google Chrome and Mozilla Firefox contain pre-loaded lists of HSTS sites.

Users can also install the EFF's HTTPS Everywhere browser extension to get almost the same effect on sites that support HTTPS, but don't yet have HSTS enabled.

"HTTPS Everywhere automatically tells your browser to use secured connections on many (but not all) websites that support them; on many domains it functions like a client-initiated equivalent of the serverside HSTS mechanism," Gillula said.

 

Previous Page  1  2 

Sign up for CIO Asia eNewsletters.