HTTP Strict Transport Security becomes Internet standard

The technology to prevent some types of attacks against HTTPS connections is now mature, but adoption is low

A Web security policy mechanism that promises to make HTTPS-enabled websites more resilient to various types of attacks has been approved and released as an Internet standard -- but despite support from some high-profile websites, adoption elsewhere is still low.

HTTP Strict Transport Security (HSTS) allows websites to declare themselves accessible only over HTTPS (HTTP Secure) and was designed to prevent hackers from forcing user connections over HTTP or abusing mistakes in HTTPS implementations to compromise content integrity.

The Internet Engineering Task Force (IETF), the body responsible for developing and promoting Internet standards, published the HSTS specification as an official standards document, RFC 6797, on Monday. IETF's Web Security Working Group had been working on it since 2010, when it was first submitted as a draft by Jeff Hodges from PayPal, Collin Jackson from Carnegie Mellon University and Adam Barth from Google.

HSTS prevents so-called mixed content issues from affecting the security and integrity of HTTPS websites. Mixed content situations occur when scripts or other resources embedded into an HTTPS-enabled website are loaded from a third-party location over an insecure connection. This can be the result of a development error or it can be intentional.

When the browser loads the insecure resource it makes a request over plain HTTP and can also send the user's session cookie along with it. An attacker that can intercept the request using networking sniffing techniques can use the cookie to hijack the user's account.

The HSTS mechanism also prevents man-in-the-middle attacks, where the attacker is in a position to intercept a user's connection with a website and force his browser to access the site's HTTP version instead of HTTPS. This technique is known as HTTPS or SSL stripping, and there are tools available to automate it.

When the browser connects over HTTPS to a website that supports HSTS, the site's strict transport security policy is saved and remembered for a specified amount of time. From that point forward, as long as the cached policy doesn't expire, the browser will refuse to initiate insecure connections with that website.

The HSTS policy is transmitted through an HTTP response header field called Strict-Transport-Security. The same header can be used to update and renew the policy.

HSTS is one of the best things to have happened to SSL because it fixes some of the mistakes made when originally designing the protocol 18 years ago, Ivan Ristic, director of engineering at security firm Qualys, said on Thursday. It also addresses the changes that have occurred since then in how Web browsers operate today, he said.

For example, relying on certificate warnings was a big mistake because users developed a habit of ignoring and overriding them, Ristic said. In the majority of situations that's not a big issue, but in 1 percent of cases it can be dangerous, he said.

HSTS does not rely on certificate warnings. If a problem is detected with the HTTPS implementation, the browser will simply refuse the connection and won't offer users the opportunity to override the decision, Ristic said.

Even with HSTS enabled on a website, there is still a small opportunity for attacks when the browser visits the website for the first time and doesn't have an HSTS policy saved for it . At that point an attacker could block it from reaching the HTTPS version of the site and could force the connection to use HTTP.

In order to address this, browsers such as Chrome and Firefox come with pre-loaded lists of popular websites for which HSTS is enforced by default.

According to SSL Pulse, a project that monitors HTTPS implementations on the world's most visited websites, only around 1,700 out of the top 180,000 HTTPS-enabled websites support HSTS.

In addition to the overall HSTS adoption rate being low, some of the websites that do support the feature have implementation issues, Ristic said.

For example, some of them specify a very short validity period -- also known as the time to live -- for their HSTS policies. For HSTS to be useful these records should be valid for days, if not months, he said.

Ristic doesn't believe that HSTS becoming an official standard will necessarily drive adoption numbers up. Website operators have traditionally been opportunistic and have implemented whatever worked for them, regardless of whether it was a standard or not, he said.

"I think the biggest problem with HSTS is education," Ristic said. "People need to learn that it exists."

Popular websites that support HSTS at the moment include PayPal, Twitter and various Google services. Facebook is in the process of deploying always-on HTTPS across its website, but doesn't support HSTS yet.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags Internet Engineering Task Forceonline safetysecurityAccess control and authenticationpaypalencryptiondata protectionprivacyqualyspkiGoogle

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

D-Link TAIPAN AC3200 Ultra Wi-Fi Modem Router (DSL-4320L)

Learn more >

Crucial® BX200 SATA 2.5” 7mm (with 9.5mm adapter) Internal Solid State Drive

Learn more >

D-Link PowerLine AV2 2000 Gigabit Network Kit

Learn more >

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

ASUS ROG Swift PG279Q – Reign beyond virtual world

Learn more >

Gadgets & Things


Learn more >

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

Lexar Professional 2000x SDHC™/SDXC™ UHS-II cards

Learn more >

Family Friendly

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

ASUS VivoPC VM62 - Incredibly Powerful, Unbelievably Small

Learn more >

Lexar Professional 2000x SDHC™/SDXC™ UHS-II cards

Learn more >

Stocking Stuffer

Lexar Professional 2000x SDHC™/SDXC™ UHS-II cards

Learn more >

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Best Deals on Good Gear Guide

Latest News Articles


GGG Evaluation Team

Kathy Cassidy


First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni


For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell


The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi


The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott


My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.


Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?