HSTS, the HTTP Strict Transport Security protocol, has been approved as a proposed standard by the IETF. HSTS is designed to allow web sites to ensure that only secure connections are being made to them by informing browsers that they should use a secure connection. The mechanism works by the server responding with a Strict-Transport-Security header which signals to the browser that it should connect using HTTPS for a time, not only for this connection but, potentially for subdomains as well. Once a browser gets this header it is under orders to only use secure connections to the site.

Many sites have previously either used HTTP redirects to get users to their secure pages or insecurely taken user names and passwords before sending the user on their way to an HTTPS page. HSTS reduces the ability for an attacker listening in on those connections to gather cookies or other data which may be exchanged on a session which began insecurely; a flaw which Firesheep has exploited since 2010.

HSTS has already been picked up by the industry, with PayPal, Blogspot and Etsy implementing the server side and Chrome, Firefox and Opera implementing the browser side. Microsoft's Internet Explorer and Apple's Safari have yet to incorporate HSTS.

The draft has been approved by the IESG, the Internet Engineering Steering Group, which is responsible for the technical management of the IETF. With widespread implementations and a higher degree of maturity, HSTS can expect to formally become an Internet Standard in the future.

(djwm)