Accurate, Focused Research on Law, Technology and Knowledge Discovery Since 2002

EFF – Websites Must Use HSTS in Order to Be Secure

EFF: “You would think that by now the Internet would have grown up enough that things like online banking, email, or government websites would rely on thoroughly engineered security to make sure your data isn’t intercepted by attackers. Unfortunately when it comes to the vast majority of websites on the Internet, that assumption would be dead wrong. That’s because most websites (with a few notable exceptionsdon’t yet support a standard called HSTS—HTTPS Strict Transport Security. Why is lack of HSTS even an issue? To see what could go wrong, imagine the following common scenario. You’re in a coffee shop and you want to check your bank account. You pop open your laptop, connect to the free wifi, load up your web browser, and type in your bank’s URL. No security alerts pop up when you load the page, and there’s even a padlock icon next to the address, so you go ahead and login. Unfortunately, you could very well have just sent your login information to a potential attacker…In response to questions from EFF about this situation, a Microsoft spokesperson told EFF that the company would now commit to supporting HSTS in the next major release of Internet Explorer (we aren’t sure whether we have persuaded Microsoft to implement HSTS sooner, though that seems quite likely, and is great news). This means that with the next major release of IE, every major browser will support properly secured websites.”

Leave a reply