Google recently announced that it plans to enforce HTTP Strict Transport Security for many of its top-level domains....
What are the security benefits of HTTP Strict Transport Security? Are there any drawbacks?
Google plans to enforce HTTP Strict Transport Security (HSTS) whether or not SSL is used as a search engine optimization ranking signal. The security benefits of this are that HTTP Strict Transport Security provides trust, verifies the SSL certificate and guarantees the integrity of data. The lock icon in the address bar in the browser lets web visitors know the website connection is secure.
Verifying SSL certificates ensures that the organization installing the SSL certificate on a server is its legitimate owner. Being able to guarantee the integrity of data prevents a third party from intercepting and changing data going to and from the web server.
The HTTP Strict Transport Security preload list is built into all major browsers. The list can contain individual domains or subdomains, as well as top-level domains. Google has already implemented HSTS for some of its top-level domains, including .google, .foo and .dev, and Gmail.com is included in the HTTP Strict Transport Security preload list, as well. The browser changes http://gmail.com to https://gmail.com before sending the request. An organization should encrypt visitors' web data in one server, and then get it to a caching server.
The issue is the type of HTTPS implementation an organization chooses: free, paid or cloud-based. A paid implementation may be expensive, but it's easier to do across multiple domains; plus, it is valid for a year or more. The free implementation is only valid for 90 days, and it is incompatible with BlackBerry and Nintendo 3DS.
A bigger issue is that Google recently received a very low grade from SecurityHeaders.io -- a website run by Scott Helme to analyze and rate website response headers -- for not implementing all the necessary HTTP security response headers. SecurityHeaders.io reported that three response headers were not added to a server.
However, Google received credit for implementing two response headers to protect against click-jacking and cross-site scripting attacks. The browsers aren't forced to use the preload list, and the certificates -- which are most likely free -- are valid for 60 days, not for 90 days or a year.
Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)
Find out whether HTTP public key pinning is necessary for browser security
Learn more about Google's efforts to boost HTTPS for web security
Discover how HSTS enhances application security
Dig Deeper on Web browser security
Related Q&A from Judith Myerson
The Constrained Application Protocol underpins IoT networks. But the protocol could allow a threat actor to launch an attack. Continue Reading
Dutch researchers discovered flaws in ATA security and TCG Opal affecting self-encrypting drives. What steps can you take to guard data stored on ... Continue Reading
The Signal Desktop application was found to be making decryption keys available in plaintext. Learn how the SQLite database and plaintext passwords ... Continue Reading