There’s never any shortage of security horror stories for us to publish — a break-in here, a theft there — so you’d think that organizations would be knocking themselves out to ensure their offerings have the latest secure technology.
Not so, according to a post by Jeremy Gillula, a staff technologist at the Electronic Frontier Foundation (EFF). In a blog he complains that most Web sites still don’t support HTTPS Strict Transport Security (HSTS), a standard that was approved in the fall of 2012 by the Internet Engineering Steering Group.
HSTS is a better way of warning Internet users when they’ve been directed to a phony Web site.
“Without HSTS,” Gillula writes, “browsers have no way of knowing that a website should be delivered securely, and so cannot alert you when a website that ought to be loaded securely (e.g. your bank’s website) is instead loaded via a normal connection (i.e. the unencrypted version the attacker sends to you instead). HSTS fixes that by allowing servers to send a message to the browser saying “Hey! Connections to me should be encrypted!” and allowing browsers to understand and act on that message.”
Gillula suspects that Web developers may simply not know about HSTS. But the other problem, he argues, is that Internet Explorer doesn’t support it yet. Apple only just added it to Safari in OS X 10.9. Chrome, Firefox and Opera support the standard.
Microsoft has told EFF that support is coming. We can only hope that’s sooner rather than later.
Meanwhile, IT administrators can remind users which browsers have this support and which don’t.