04-04-2014 12:50 PM
You would think that by now the Internet would have grown up enough that things like online banking, email, or government websites would rely on thoroughly engineered security to make sure your data isn't intercepted by attackers. Unfortunately when it comes to the vast majority of websites on the Internet, that assumption would be dead wrong. That's because most websites (with a few notable exceptions) don't yet support a standard called HSTS—HTTPS Strict Transport Security.
Why is lack of HSTS even an issue? To see what could go wrong, imagine the following common scenario. You're in a coffee shop and you want to check your bank account. You pop open your laptop, connect to the free wifi, load up your web browser, and type in your bank's URL. No security alerts pop up when you load the page, and there's even a padlock icon next to the address, so you go ahead and login. Unfortunately, you could very well have just sent your login information to a potential attacker.
04-04-2014 01:12 PM - edited 04-04-2014 01:13 PM
Although it's more difficult to catch users data from HTTPS sites nothing beats a good module protecting our data.
Fortunately we have the Identity Protection.
Webroot® SecureAnywhere™ Internet Security Complete Beta v184.108.40.206 & VoodooShield Beta v2.23m
04-07-2014 03:10 PM
The advocacy group cites insufficient awareness among developers and lack of support across all browsers as the likely reasons
Almost a year and a half after the HTTP Strict Transport Security (HSTS) mechanism was established as a standard, its adoption rate by websites remains low because developers are not aware of its benefits and Internet Explorer still doesn't support it, according to advocacy group the Electronic Frontier Foundation.
HSTS is a policy mechanism implemented as an HTTP header field that allows websites to instruct browsers to only connect to them using HTTPS for a period of time that can be renewed. The mechanism is important because it can block some man-in-the-middle attacks that hackers can easily execute on wireless networks or from compromised Internet gateway devices.