HSTS: A secure standard that isn’t respected enough

There’s never any shortage of security horror stories for us to publish — a break-in here, a theft there — so you’d think that organizations would be knocking themselves out to ensure their offerings have the latest secure technology.

Not so, according to a post by Jeremy Gillula, a staff technologist at the Electronic Frontier Foundation (EFF). In a blog he complains that most Web sites still don’t support HTTPS Strict Transport Security (HSTS), a standard that was approved in the fall of 2012 by the Internet Engineering Steering Group.

HSTS is a better way of warning Internet users when they’ve been directed to a phony Web site.

“Without HSTS,” Gillula writes, “browsers have no way of knowing that a website should be delivered securely, and so cannot alert you when a website that ought to be loaded securely (e.g. your bank’s website) is instead loaded via a normal connection (i.e. the unencrypted version the attacker sends to you instead). HSTS fixes that by allowing servers to send a message to the browser saying “Hey! Connections to me should be encrypted!” and allowing browsers to understand and act on that message.”

Gillula suspects that Web developers may simply not know about HSTS. But the other problem, he argues, is that Internet Explorer doesn’t support it yet. Apple only just added it to Safari in OS X 10.9. Chrome, Firefox and Opera support the standard.

Microsoft has told EFF that support is coming. We can only hope that’s sooner rather than later.

Meanwhile, IT administrators can remind users which browsers have this support and which don’t.

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web