HSTS OK’d as Proposed Standard

Thursday, October 4, 2012 @ 04:10 PM gHale


HSTS, the HTTP Strict Transport Security protocol, won approval as a proposed standard by the Internet Engineering Task Force (IETF).

The mission of HSTS is to allow web sites to ensure only secure connections are coming to them by informing browsers they should use a secure connection.

RELATED STORIES
DHS, IAEA Ink Collaboration Pact
DHS: Water Plant Needs System Upgrade
New Tool Shows Security Strength
Internet Facing Control System Alert

The mechanism works by the server responding with a Strict-Transport-Security header which signals to the browser it should connect using HTTPS for a time, not only for this connection but, potentially for subdomains as well. Once a browser gets this header it is under orders to only use secure connections to the site.

Many sites have previously either used HTTP redirects to get users to their secure pages or insecurely taken user names and passwords before sending the user on their way to an HTTPS page.

HSTS reduces the ability for an attacker listening in on those connections to gather cookies or other data which may exchange during a session which began insecurely.

A good part of the industry already recognizes HSTS, with PayPal, Blogspot and Etsy implementing the server side and Chrome, Firefox and Opera implementing the browser side. Microsoft’s Internet Explorer and Apple’s Safari have yet to incorporate HSTS.

The draft won approval by the IESG, the Internet Engineering Steering Group, which is responsible for the technical management of the IETF. With widespread implementations and a higher degree of maturity, HSTS should become an Internet Standard in the future.

The following is a draft of the HTTP Strict Transport Security protocol.



Leave a Reply

You must be logged in to post a comment.