Menu
Low adoption rate of HSTS website security mechanism is worrying, EFF says

Low adoption rate of HSTS website security mechanism is worrying, EFF says

The advocacy group cites insufficient awareness among developers and lack of support across all browsers as the likely reasons

Almost a year and a half after the HTTP Strict Transport Security (HSTS) mechanism was established as a standard, its adoption rate by websites remains low because developers are not aware of its benefits and Internet Explorer still doesn't support it, according to advocacy group the Electronic Frontier Foundation.

HSTS is a policy mechanism implemented as an HTTP header field that allows websites to instruct browsers to only connect to them using HTTPS for a period of time that can be renewed. The mechanism is important because it can block some man-in-the-middle attacks that hackers can easily execute on wireless networks or from compromised Internet gateway devices.

One such attack is known as SSL stripping and involves intercepting browser requests to HTTPS sites and serving back the requested pages over plain HTTP instead of encrypted connections. If they're not paying close attention, the targeted users might never realize that they're not visiting a secure page.

HSTS can also prevent man-in-the-middle attackers from potentially injecting malicious code into resources loaded on HTTPS pages from third-party locations over non-encrypted links, a common occurrence known as a mixed content issue.

"Without HSTS, browsers have no way of knowing that a website should be delivered securely, and so cannot alert you when a website that ought to be loaded securely (e.g. your bank's website) is instead loaded via a normal connection (i.e. the unencrypted version the attacker sends to you instead)," said Jeremy Gillula, a staff technologist at the EFF, in a blog post Friday. "HSTS fixes that by allowing servers to send a message to the browser saying 'Hey! Connections to me should be encrypted!' and allowing browsers to understand and act on that message."

However, the support for HSTS in browsers has been incomplete, which likely discouraged websites from enabling the mechanism.

"Only Chrome, Firefox, and Opera have had HSTS support for a significant period," the EFF technologist said. "This is changing though: we noticed that Apple quietly added HSTS support to Safari in OS X 10.9. For now, Internet Explorer doesn't support HSTS -- which means that there's basically no such thing as a secure website in IE."

According to a March report by the SSL Pulse project, only 1,219 out of around 158,270 HTTPS-enabled sites had implemented HSTS. The SSL Pulse project regularly scans and tracks changes in the SSL implementations of the most popular HTTPS sites on the Internet as listed by Internet statistics firm Alexa.

According to Gillula, a Microsoft spokesperson told the EFF that the company is committed to adding support for HSTS in the next major release of Internet Explorer. "This means that with the next major release of IE, every major browser will support properly secured websites," Gillula said.

Microsoft did not immediately respond to a request for comment sent Monday, but the company's status.modern.ie website lists the HSTS feature as "in development."

One problem with HSTS is that it assumes the first ever connection from a browser to a HTTPS website is achieved securely, without a man-in-the-middle attacker interfering and removing the HSTS policy header. In order to partially mitigate this problem Google Chrome and Mozilla Firefox contain pre-loaded lists of HSTS sites.

Users can also install the EFF's HTTPS Everywhere browser extension to get almost the same effect on sites that support HTTPS, but don't yet have HSTS enabled.

"HTTPS Everywhere automatically tells your browser to use secured connections on many (but not all) websites that support them; on many domains it functions like a client-initiated equivalent of the serverside HSTS mechanism," Gillula said.

Subscribe here for up-to-date channel news

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags online safetyMicrosoftsecurityencryptionprivacyElectronic Frontier Foundationpki

Featured

Slideshows

Tight lines as Hooked on Lenovo catches up at Great Barrier Island

Tight lines as Hooked on Lenovo catches up at Great Barrier Island

​Ingram Micro’s Hooked on Lenovo incentive programme recently rewarded 28 of New Zealand's top performing resellers with a full-on fishing trip at Great Barrier Island for the third year​ in a row.

Tight lines as Hooked on Lenovo catches up at Great Barrier Island
Inside the AWS Summit in Sydney

Inside the AWS Summit in Sydney

As the dust settles on the 2017 AWS Summit in Sydney, ARN looks back an action packed two-day event, covering global keynote presentations, 80 breakout sessions on the latest technology solutions, and channel focused tracks involving local cloud stories and insights.

Inside the AWS Summit in Sydney
Channel tees off on the North Shore as Ingram Micro hosts annual Cure Kids Charity golf day

Channel tees off on the North Shore as Ingram Micro hosts annual Cure Kids Charity golf day

Ingram Micro hosted its third annual Cure Kids Charity Golf Tournament at the North Shore Golf Club in Auckland. In total, 131 resellers, vendors and Ingram Micro suppliers enjoyed a round of golf consisting of challenges on each of the 18 sponsored holes, with Team Philips taking out the top honours.

Channel tees off on the North Shore as Ingram Micro hosts annual Cure Kids Charity golf day
Show Comments