Menu
Low adoption rate of HSTS website security mechanism is worrying, EFF says

Low adoption rate of HSTS website security mechanism is worrying, EFF says

The advocacy group cites insufficient awareness among developers and lack of support across all browsers as the likely reasons

Almost a year and a half after the HTTP Strict Transport Security (HSTS) mechanism was established as a standard, its adoption rate by websites remains low because developers are not aware of its benefits and Internet Explorer still doesn't support it, according to advocacy group the Electronic Frontier Foundation.

HSTS is a policy mechanism implemented as an HTTP header field that allows websites to instruct browsers to only connect to them using HTTPS for a period of time that can be renewed. The mechanism is important because it can block some man-in-the-middle attacks that hackers can easily execute on wireless networks or from compromised Internet gateway devices.

One such attack is known as SSL stripping and involves intercepting browser requests to HTTPS sites and serving back the requested pages over plain HTTP instead of encrypted connections. If they're not paying close attention, the targeted users might never realize that they're not visiting a secure page.

HSTS can also prevent man-in-the-middle attackers from potentially injecting malicious code into resources loaded on HTTPS pages from third-party locations over non-encrypted links, a common occurrence known as a mixed content issue.

"Without HSTS, browsers have no way of knowing that a website should be delivered securely, and so cannot alert you when a website that ought to be loaded securely (e.g. your bank's website) is instead loaded via a normal connection (i.e. the unencrypted version the attacker sends to you instead)," said Jeremy Gillula, a staff technologist at the EFF, in a blog post Friday. "HSTS fixes that by allowing servers to send a message to the browser saying 'Hey! Connections to me should be encrypted!' and allowing browsers to understand and act on that message."

However, the support for HSTS in browsers has been incomplete, which likely discouraged websites from enabling the mechanism.

"Only Chrome, Firefox, and Opera have had HSTS support for a significant period," the EFF technologist said. "This is changing though: we noticed that Apple quietly added HSTS support to Safari in OS X 10.9. For now, Internet Explorer doesn't support HSTS -- which means that there's basically no such thing as a secure website in IE."

According to a March report by the SSL Pulse project, only 1,219 out of around 158,270 HTTPS-enabled sites had implemented HSTS. The SSL Pulse project regularly scans and tracks changes in the SSL implementations of the most popular HTTPS sites on the Internet as listed by Internet statistics firm Alexa.

According to Gillula, a Microsoft spokesperson told the EFF that the company is committed to adding support for HSTS in the next major release of Internet Explorer. "This means that with the next major release of IE, every major browser will support properly secured websites," Gillula said.

Microsoft did not immediately respond to a request for comment sent Monday, but the company's status.modern.ie website lists the HSTS feature as "in development."

One problem with HSTS is that it assumes the first ever connection from a browser to a HTTPS website is achieved securely, without a man-in-the-middle attacker interfering and removing the HSTS policy header. In order to partially mitigate this problem Google Chrome and Mozilla Firefox contain pre-loaded lists of HSTS sites.

Users can also install the EFF's HTTPS Everywhere browser extension to get almost the same effect on sites that support HTTPS, but don't yet have HSTS enabled.

"HTTPS Everywhere automatically tells your browser to use secured connections on many (but not all) websites that support them; on many domains it functions like a client-initiated equivalent of the serverside HSTS mechanism," Gillula said.

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags online safetyMicrosoftsecurityencryptionprivacyElectronic Frontier Foundationpki

Slideshows

Top 50 defining moments of the New Zealand channel in 2016

Top 50 defining moments of the New Zealand channel in 2016

Reseller News looks back on a tumultuous 12 months for the New Zealand channel, assessing the fallout from a year of sizeable industry change. Whether it be local or global mergers and acquisitions, distribution deals or job changes, the channel that started the year differs somewhat to the one set to finish it - Reseller News assesses the key moments that made 2016.​

Top 50 defining moments of the New Zealand channel in 2016
​Hewlett Packard Enterprise honours high achieving NZ channel

​Hewlett Packard Enterprise honours high achieving NZ channel

Hewlett Packard Enterprise honoured its top performing Kiwi partners at the second running of its HPE Partner Awards in New Zealand, held at a glitzy ceremony in Auckland. Recognising excellence across eight categories - from distributors to resellers - the tech giant celebrated its first year as a standalone company, following its official split from HP in 2015.

​Hewlett Packard Enterprise honours high achieving NZ channel
Nutanix treats channel partners to Christmas cruise

Nutanix treats channel partners to Christmas cruise

Nutanix recently took to the seas for a Christmas Cruise around Sydney Harbour with its Australia and New Zealand staff, customers and partners to celebrate a stellar year for the vendor. With the sun out, they were all smiles and mingled over drinks and food.

Nutanix treats channel partners to Christmas cruise
Show Comments