Brian Jackson - Fotolia
Google recently announced that it plans to enforce HTTP Strict Transport Security for many of its top-level domains. What are the security benefits of HTTP Strict Transport Security? Are there any drawbacks?
Google plans to enforce HTTP Strict Transport Security (HSTS) whether or not SSL is used as a search engine optimization ranking signal. The security benefits of this are that HTTP Strict Transport Security provides trust, verifies the SSL certificate and guarantees the integrity of data. The lock icon in the address bar in the browser lets web visitors know the website connection is secure.
Verifying SSL certificates ensures that the organization installing the SSL certificate on a server is its legitimate owner. Being able to guarantee the integrity of data prevents a third party from intercepting and changing data going to and from the web server.
The HTTP Strict Transport Security preload list is built into all major browsers. The list can contain individual domains or subdomains, as well as top-level domains. Google has already implemented HSTS for some of its top-level domains, including .google, .foo and .dev, and Gmail.com is included in the HTTP Strict Transport Security preload list, as well. The browser changes http://gmail.com to https://gmail.com before sending the request. An organization should encrypt visitors' web data in one server, and then get it to a caching server.
The issue is the type of HTTPS implementation an organization chooses: free, paid or cloud-based. A paid implementation may be expensive, but it's easier to do across multiple domains; plus, it is valid for a year or more. The free implementation is only valid for 90 days, and it is incompatible with BlackBerry and Nintendo 3DS.
A bigger issue is that Google recently received a very low grade from SecurityHeaders.io -- a website run by Scott Helme to analyze and rate website response headers -- for not implementing all the necessary HTTP security response headers. SecurityHeaders.io reported that three response headers were not added to a server.
However, Google received credit for implementing two response headers to protect against click-jacking and cross-site scripting attacks. The browsers aren't forced to use the preload list, and the certificates -- which are most likely free -- are valid for 60 days, not for 90 days or a year.
Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)
Find out whether HTTP public key pinning is necessary for browser security
Learn more about Google's efforts to boost HTTPS for web security
Discover how HSTS enhances application security
Dig Deeper on Web browser security
Related Q&A from Judith Myerson
New speculative execution vulnerabilities have been found affecting Intel processors. Learn how these flaws can lead to side-channel attacks with ... Continue Reading
Qihoo 360 Netlab researchers found that TZSP traffic was being redirected from vulnerable routers. Learn what this type of traffic is and how this ... Continue Reading
Researchers from Positive Technologies found flaws affecting NCR ATMs. Discover how these ATM vulnerabilities work and how a patch can mitigate this ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.