Forcing browsers to use encryption

Chrome and Firefox are or will be using new HTTP Strict Transport Security technology, which allows Web servers to force secure connections with browsers.


Help is on the way for Web surfers who run the risk of having their Facebook, Twitter, and other Web accounts hijacked over unsecured Wi-Fi networks and other security issues that result from sites not using encryption.

A Web security mechanism called HTTP Strict Transport Security (HSTS) is making its way through the IETF (Internet Engineering Task Force) standards process, and two of the major browsers are supporting it. Web sites that implement HSTS will prompt the browser to always connect to a secure version of the site, using "https," without the Web surfer having to remember to type that in the URL bar.

It will render useless tools like Firesheep, a Firefox add-on that lets people easily capture HTTP session cookies that sites use to communicate with computers. Firesheep was released at ToorCon last month.

HSTS is used in Google Chrome and the NoScript and Force-TLS Firefox plug-ins and is being implemented in the upcoming version of FireFox, according to a blog post by Jeff Hodges, a security engineer at PayPal. Hodges wrote the original draft specification for HSTS with Collin Jackson, a former Googler and current assistant research professor at Carnegie Mellon University Silicon Valley, and Adam Barth, a Google engineer.


"This allows for full-session encryption," Jackson told CNET. "A user won't see an insecure version of the site."

PayPal and other Web sites have started to use the feature and more are waiting to adopt it once it is implemented in more browsers, he said. "We're waiting on Microsoft to pick it up," Jackson said.

Asked if Microsoft is considering using HSTS in Internet Explorer, a spokesperson provided this comment: "We don't support it in IE9 but are committed to delivering trusted browsing experience and will continue to listen to customers."

Apple spokespeople did not respond to an e-mail asking for comment for this story.

Update 4 p.m PST Nov. 16: The Electronic Frontier Foundation issued an appeal today to Microsoft and Apple to support HSTS in their browsers.

"Indeed, ultimately we expect HTTPS (and possibly SPDY) to replace HTTP entirely, the way SSH replaced Telnet and rsh," the EFF blog post says. "We recently enabled HSTS for It took less than an hour to set up, and we found a way to do it without forcibly redirecting users to HTTPS, so we can state an unequivocal preference for HTTPS access while still making the site available in HTTP. It worked like a charm and a significant fraction of our users are now automatically accessing our site in HTTPS, perhaps without even knowing it."

Featured Video
This content is rated TV-MA, and is for viewers 18 years or older. Are you of age?
Sorry, you are not old enough to view this content.

The WRT1900ACS is Linksys' new best Wi-Fi router to date

CNET editor Dong Ngo compares the new WRT1900ACS and the old WRT1900AC Wi-Fi routers from Linksys. Find out which one is better!

by Dong Ngo