The technology to prevent some types of attacks against HTTPS connections is now mature, but adoption is low
A Web security policy mechanism that promises to make HTTPS-enabled websites more resilient to various types of attacks has been approved and released as an Internet standard -- but despite support from some high-profile websites, adoption elsewhere is still low.
HTTP Strict Transport Security (HSTS) allows websites to declare themselves accessible only over HTTPS (HTTP Secure) and was designed to prevent hackers from forcing user connections over HTTP or abusing mistakes in HTTPS implementations to compromise content integrity.
The Internet Engineering Task Force (IETF), the body responsible for developing and promoting Internet standards, published the HSTS specification as an official standards document, RFC 6797
, on Monday. IETF's Web Security Working Group had been working on it since 2010, when it was first submitted as a draft by Jeff Hodges from PayPal, Collin Jackson from Carnegie Mellon University and Adam Barth from Google.
HSTS prevents so-called mixed content issues from affecting the security and integrity of HTTPS websites. Mixed content situations occur when scripts or other resources embedded into an HTTPS-enabled website are loaded from a third-party location over an insecure connection. This can be the result of a development error or it can be intentional.