Google recently announced that it plans to enforce HTTP Strict Transport Security for many of its top-level domains....
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
What are the security benefits of HTTP Strict Transport Security? Are there any drawbacks?
Google plans to enforce HTTP Strict Transport Security (HSTS) whether or not SSL is used as a search engine optimization ranking signal. The security benefits of this are that HTTP Strict Transport Security provides trust, verifies the SSL certificate and guarantees the integrity of data. The lock icon in the address bar in the browser lets web visitors know the website connection is secure.
Verifying SSL certificates ensures that the organization installing the SSL certificate on a server is its legitimate owner. Being able to guarantee the integrity of data prevents a third party from intercepting and changing data going to and from the web server.
The HTTP Strict Transport Security preload list is built into all major browsers. The list can contain individual domains or subdomains, as well as top-level domains. Google has already implemented HSTS for some of its top-level domains, including .google, .foo and .dev, and Gmail.com is included in the HTTP Strict Transport Security preload list, as well. The browser changes http://gmail.com to https://gmail.com before sending the request. An organization should encrypt visitors' web data in one server, and then get it to a caching server.
The issue is the type of HTTPS implementation an organization chooses: free, paid or cloud-based. A paid implementation may be expensive, but it's easier to do across multiple domains; plus, it is valid for a year or more. The free implementation is only valid for 90 days, and it is incompatible with BlackBerry and Nintendo 3DS.
A bigger issue is that Google recently received a very low grade from SecurityHeaders.io -- a website run by Scott Helme to analyze and rate website response headers -- for not implementing all the necessary HTTP security response headers. SecurityHeaders.io reported that three response headers were not added to a server.
However, Google received credit for implementing two response headers to protect against click-jacking and cross-site scripting attacks. The browsers aren't forced to use the preload list, and the certificates -- which are most likely free -- are valid for 60 days, not for 90 days or a year.
Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)
Find out whether HTTP public key pinning is necessary for browser security
Learn more about Google's efforts to boost HTTPS for web security
Discover how HSTS enhances application security
Dig Deeper on Web browser security
Related Q&A from Judith Myerson
A patch was issued for the Dirty COW vulnerability, but researchers later discovered problems with the patch. Expert Judith Myerson explains what ...continue reading
Getting firewall settings right is one of the most basic ways to protect enterprise data from accidental exposures. Expert Judith Myerson discusses ...continue reading
Expert Judith Myerson explains how IP theft can happen despite the cryptographic protections in IEEE standard P1735, as well as what can be done to ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.