Low adoption rate of HSTS website security mechanism is worrying, EFF says

The advocacy group cites insufficient awareness among developers and lack of support across all browsers as the likely reasons

Almost a year and a half after the HTTP Strict Transport Security (HSTS) mechanism was established as a standard, its adoption rate by websites remains low because developers are not aware of its benefits and Internet Explorer still doesn't support it, according to advocacy group the Electronic Frontier Foundation.

HSTS is a policy mechanism implemented as an HTTP header field that allows websites to instruct browsers to only connect to them using HTTPS for a period of time that can be renewed. The mechanism is important because it can block some man-in-the-middle attacks that hackers can easily execute on wireless networks or from compromised Internet gateway devices.

One such attack is known as SSL stripping and involves intercepting browser requests to HTTPS sites and serving back the requested pages over plain HTTP instead of encrypted connections. If they're not paying close attention, the targeted users might never realize that they're not visiting a secure page.

HSTS can also prevent man-in-the-middle attackers from potentially injecting malicious code into resources loaded on HTTPS pages from third-party locations over non-encrypted links, a common occurrence known as a mixed content issue.

"Without HSTS, browsers have no way of knowing that a website should be delivered securely, and so cannot alert you when a website that ought to be loaded securely (e.g. your bank's website) is instead loaded via a normal connection (i.e. the unencrypted version the attacker sends to you instead)," said Jeremy Gillula, a staff technologist at the EFF, in a blog post Friday. "HSTS fixes that by allowing servers to send a message to the browser saying 'Hey! Connections to me should be encrypted!' and allowing browsers to understand and act on that message."

However, the support for HSTS in browsers has been incomplete, which likely discouraged websites from enabling the mechanism.

"Only Chrome, Firefox, and Opera have had HSTS support for a significant period," the EFF technologist said. "This is changing though: we noticed that Apple quietly added HSTS support to Safari in OS X 10.9. For now, Internet Explorer doesn't support HSTS -- which means that there's basically no such thing as a secure website in IE."

According to a March report by the SSL Pulse project, only 1,219 out of around 158,270 HTTPS-enabled sites had implemented HSTS. The SSL Pulse project regularly scans and tracks changes in the SSL implementations of the most popular HTTPS sites on the Internet as listed by Internet statistics firm Alexa.

According to Gillula, a Microsoft spokesperson told the EFF that the company is committed to adding support for HSTS in the next major release of Internet Explorer. "This means that with the next major release of IE, every major browser will support properly secured websites," Gillula said.

Microsoft did not immediately respond to a request for comment sent Monday, but the company's status.modern.ie website lists the HSTS feature as "in development."

One problem with HSTS is that it assumes the first ever connection from a browser to a HTTPS website is achieved securely, without a man-in-the-middle attacker interfering and removing the HSTS policy header. In order to partially mitigate this problem Google Chrome and Mozilla Firefox contain pre-loaded lists of HSTS sites.

Users can also install the EFF's HTTPS Everywhere browser extension to get almost the same effect on sites that support HTTPS, but don't yet have HSTS enabled.

"HTTPS Everywhere automatically tells your browser to use secured connections on many (but not all) websites that support them; on many domains it functions like a client-initiated equivalent of the serverside HSTS mechanism," Gillula said.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags online safetyMicrosoftsecurityencryptionprivacyElectronic Frontier Foundationpki

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?