stephen at melbpc.org.au stephen at melbpc.org.au
Fri Nov 23 20:54:56 AEDT 2012

HTTP Strict Transport Security becomes Internet standard


By Lucian Constantin (IDG News Service) 22nd November, 2012

A Web security policy mechanism that promises to make HTTPS-enabled 
websites more resilient to various types of attacks has been approved and 
released as an Internet standard -- but adoption is still low.

HTTP Strict Transport Security (HSTS) allows websites to declare 
themselves accessible only over HTTPS (HTTP Secure) and was designed to 
prevent hackers from forcing user connections over HTTP, or abusing 
mistakes in HTTPS implementations to compromise content integrity.

The Internet Engineering Task Force (IETF), the body responsible for 
developing and promoting Internet standards, published the HSTS 
specification as an official standards document, RFC 6797, on Monday. 

IETF's Web Security Working Group had been working on it since 2010, when 
it was first submitted as a draft by Jeff Hodges from PayPal, Collin 
Jackson from Carnegie Mellon University and Adam Barth from Google.

HSTS prevents so-called 'mixed content' issues from affecting the 
security and integrity of HTTPS websites. 

Mixed content situations occur when scripts or other resources embedded 
into an HTTPS-enabled website are loaded from a third-party location over 
an insecure connection. This can be the result of a development error, or 
it can be intentional.

When the browser loads the insecure resource it makes a request over 
plain HTTP and can also send the user's session cookie along with it. An 
attacker that can intercept the request using networking sniffing 
techniques can use the cookie to hijack the user's account.

The HSTS mechanism also prevents man-in-the-middle attacks, where the 
attacker is in a position to intercept a user's connection with a website 
and force his browser to access the site's HTTP version instead of HTTPS. 

This technique is known as HTTPS or SSL stripping, and there are tools 
available to automate it.

When the browser connects over HTTPS to a website that supports HSTS, the 
site's strict transport security policy is saved and remembered for a 
specified amount of time. From that point forward, as long as the cached 
policy doesn't expire, the browser will refuse to initiate insecure 
connections with that website.

The HSTS policy is transmitted through an HTTP response header field 
called Strict-Transport-Security. The same header can be used to update 
and renew the policy.

HSTS is one of the best things to have happened to SSL because it fixes 
some of the mistakes made when originally designing the protocol 18 years 
ago, Ivan Ristic, director of engineering at security firm Qualys, said 
on Thursday. It also addresses the changes that have occurred since then 
in how Web browsers operate today, he said.

For example, relying on certificate warnings was a big mistake because 
users developed a habit of ignoring and overriding them, Ristic said. In 
the majority of situations that's not a big issue, but in 1 percent of 
cases it can be dangerous, he said.

HSTS does not rely on certificate warnings. If a problem is detected with 
the HTTPS implementation, the browser will simply refuse the connection 
and won't offer users the opportunity to override the decision, Ristic 

Even with HSTS enabled on a website, there is still a small opportunity 
for attacks when the browser visits the website for the first time and 
doesn't have an HSTS policy saved for it . At that point an attacker 
could block it from reaching the HTTPS version of the site and could 
force the connection to use HTTP.

In order to address this, browsers such as Chrome and Firefox come with 
pre-loaded lists of popular websites for which HSTS is enforced by 

According to SSL Pulse, a project that monitors HTTPS implementations on 
the world's most visited websites, only around 1,700 out of the top 
180,000 HTTPS-enabled websites support HSTS.

In addition to the overall HSTS adoption rate being low, some of the 
websites that do support the feature have implementation issues, Ristic 

For example, some of them specify a very short validity period -- also 
known as the time to live -- for their HSTS policies. For HSTS to be 
useful these records should be valid for days, if not months, he said.

Ristic doesn't believe that HSTS becoming an official standard will 
necessarily drive adoption numbers up. Website operators have 
traditionally been opportunistic and have implemented whatever worked for 
them, regardless of whether it was a standard or not, he said.

"I think the biggest problem with HSTS is education," Ristic 
said. "People need to learn that it exists."

Popular websites that support HSTS at the moment include PayPal, Twitter 
and various Google services. Facebook is in the process of deploying 
always-on HTTPS across its website, but doesn't support HSTS yet.

Stephen Loosley

More information about the Link mailing list