What's the likelihood that the IETF's new HTTP Strict Transport Security (HSTS) protocol will have a positive effect...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
on enterprise security?
Ask the Expert!
Have questions about network security for expert Matt Pascucci? Send them via email today! (All questions are anonymous.)
HTTP Strict Transport Security (HSTS) is a protocol being designed to enhance Web security. Here's how it works: When a Web browser connects with a website or Web application and receives a special HSTS message in return, that's a queue to the browser that all communications should be transmitted via HTTPS, which is of course much more secure than unencrypted HTTP.
HSTS, which the IETF published in November 2012, will almost certainly have a positive effect on enterprise security. The primary benefit is that it makes it harder for attackers to conduct man-in-the-middle (MitM) attacks by tricking browsers into using HTTP to transmit packets instead of HTTPS. However, that then brings us to the question of "How are we going to force every site to use SSL?" In an ideal world, all sites would already be end-to-end encrypted, meaning they would use HTTPS exclusively, but realistically some site owners don't have the money or the expertise to do so.
Many popular browsers like Chrome and Firefox already have features installed to follow this protocol, so it's definitely possible that enterprises will see positive security effects on the browser side very quickly. There are also browser add-ons like HTTPS Everywhere and Force TLS that help create SSL connections when possible so as to not communicate over clear text.
I would love to see this protocol become widely used across the Web, with both browser makers and site owners working together to create a more secure World Wide Web. However, I get the same feeling with the HSTS protocol that I get with DNSSEC -- why can't we get it done? It takes both sides to work out this problem. Hopefully with a little bit of evangelism, HSTS will become a standard for securing Web connections.
Dig Deeper on Web browser security
Related Q&A from Matthew Pascucci
Researchers found several Dnsmasq vulnerabilities that affect Google's Android operating system. Matt Pascucci explains how these flaws can be ...continue reading
After introducing HTTP Public Key Pinning to the internet two years ago, the upcoming Chrome will replace it with the Expect-CT header. Matt Pascucci...continue reading
A major SAML vulnerability was found in Slack that granted expired login credentials permission into the system. Matt Pascucci explains how this '...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.