Low adoption rate of HSTS website security mechanism is worrying, EFF says

The advocacy group cites insufficient awareness among developers and lack of support across all browsers as the likely reasons

Almost a year and a half after the HTTP Strict Transport Security (HSTS) mechanism was established as a standard, its adoption rate by websites remains low because developers are not aware of its benefits and Internet Explorer still doesn't support it, according to advocacy group the Electronic Frontier Foundation.

HSTS is a policy mechanism implemented as an HTTP header field that allows websites to instruct browsers to only connect to them using HTTPS for a period of time that can be renewed. The mechanism is important because it can block some man-in-the-middle attacks that hackers can easily execute on wireless networks or from compromised Internet gateway devices.

One such attack is known as SSL stripping and involves intercepting browser requests to HTTPS sites and serving back the requested pages over plain HTTP instead of encrypted connections. If they're not paying close attention, the targeted users might never realize that they're not visiting a secure page.

HSTS can also prevent man-in-the-middle attackers from potentially injecting malicious code into resources loaded on HTTPS pages from third-party locations over non-encrypted links, a common occurrence known as a mixed content issue.

"Without HSTS, browsers have no way of knowing that a website should be delivered securely, and so cannot alert you when a website that ought to be loaded securely (e.g. your bank's website) is instead loaded via a normal connection (i.e. the unencrypted version the attacker sends to you instead)," said Jeremy Gillula, a staff technologist at the EFF, in a blog post Friday. "HSTS fixes that by allowing servers to send a message to the browser saying 'Hey! Connections to me should be encrypted!' and allowing browsers to understand and act on that message."

However, the support for HSTS in browsers has been incomplete, which likely discouraged websites from enabling the mechanism.

"Only Chrome, Firefox, and Opera have had HSTS support for a significant period," the EFF technologist said. "This is changing though: we noticed that Apple quietly added HSTS support to Safari in OS X 10.9. For now, Internet Explorer doesn't support HSTS -- which means that there's basically no such thing as a secure website in IE."

According to a March report by the SSL Pulse project, only 1,219 out of around 158,270 HTTPS-enabled sites had implemented HSTS. The SSL Pulse project regularly scans and tracks changes in the SSL implementations of the most popular HTTPS sites on the Internet as listed by Internet statistics firm Alexa.

According to Gillula, a Microsoft spokesperson told the EFF that the company is committed to adding support for HSTS in the next major release of Internet Explorer. "This means that with the next major release of IE, every major browser will support properly secured websites," Gillula said.

Microsoft did not immediately respond to a request for comment sent Monday, but the company's status.modern.ie website lists the HSTS feature as "in development."

One problem with HSTS is that it assumes the first ever connection from a browser to a HTTPS website is achieved securely, without a man-in-the-middle attacker interfering and removing the HSTS policy header. In order to partially mitigate this problem Google Chrome and Mozilla Firefox contain pre-loaded lists of HSTS sites.

Users can also install the EFF's HTTPS Everywhere browser extension to get almost the same effect on sites that support HTTPS, but don't yet have HSTS enabled.

"HTTPS Everywhere automatically tells your browser to use secured connections on many (but not all) websites that support them; on many domains it functions like a client-initiated equivalent of the serverside HSTS mechanism," Gillula said.

Join the CSO newsletter!

Error: Please check your email address.

Tags online safetyMicrosoftsecurityencryptionprivacyElectronic Frontier Foundationpki

More about AppleEFFElectronic Frontier FoundationGoogleMicrosoftMozilla

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place