light bulb

Did You Know?



Reply
Posts: 5,233
Topics: 3,364
Kudos: 6,525
Registered: ‎06-12-2013

Websites Must Use HSTS in Order to Be Secure

You would think that by now the Internet would have grown up enough that things like online banking, email, or government websites would rely on thoroughly engineered security to make sure your data isn't intercepted by attackers. Unfortunately when it comes to the vast majority of websites on the Internet, that assumption would be dead wrong. That's because most websites (with a few notable exceptions) don't yet support a standard called HSTS—HTTPS Strict Transport Security.

Why is lack of HSTS even an issue? To see what could go wrong, imagine the following common scenario. You're in a coffee shop and you want to check your bank account. You pop open your laptop, connect to the free wifi, load up your web browser, and type in your bank's URL. No security alerts pop up when you load the page, and there's even a padlock icon next to the address, so you go ahead and login. Unfortunately, you could very well have just sent your login information to a potential attacker.

 

Full Article

Sr. Community Leader

Community Manager Community Manager
Community Manager
Posts: 4,346
Registered: ‎12-16-2013

Re: Websites Must Use HSTS in Order to Be Secure

Interesting - I wasn't aware of that protocol.  Sounds like a no brainer to me.

Posts: 891
Topics: 178
Kudos: 598
Registered: ‎10-03-2012

Re: Websites Must Use HSTS in Order to Be Secure

[ Edited ]

Although it's more difficult to catch users data from HTTPS sites nothing beats a good module protecting our data.
Fortunately we have the Identity Protection.

Sr. Community Leader

Beta Tester



WEBROOT® SecureAnywhere™ Internet Security Complete Beta v8.0.8.77

Posts: 5,233
Topics: 3,364
Kudos: 6,525
Registered: ‎06-12-2013

Low adoption rate of HSTS website security mechanism is worrying, EFF says

The advocacy group cites insufficient awareness among developers and lack of support across all browsers as the likely reasons

 

Almost a year and a half after the HTTP Strict Transport Security (HSTS) mechanism was established as a standard, its adoption rate by websites remains low because developers are not aware of its benefits and Internet Explorer still doesn't support it, according to advocacy group the Electronic Frontier Foundation.

HSTS is a policy mechanism implemented as an HTTP header field that allows websites to instruct browsers to only connect to them using HTTPS for a period of time that can be renewed. The mechanism is important because it can block some man-in-the-middle attacks that hackers can easily execute on wireless networks or from compromised Internet gateway devices.

 

Full Article

Sr. Community Leader