Almost a year and a half after the HTTP Strict Transport Security (HSTS) mechanism was established as a standard, its adoption rate by websites remains low because developers are not aware of its benefits and Internet Explorer still doesn’t support it, according to advocacy group the Electronic Frontier Foundation.
HSTS is a policy mechanism implemented as an HTTP header field that allows websites to instruct browsers to only connect to them using HTTPS for a period of time that can be renewed. The mechanism is important because it can block some man-in-the-middle attacks that hackers can easily execute on wireless networks or from compromised Internet gateway devices.
One such attack is known as SSL stripping and involves intercepting browser requests to HTTPS sites and serving back the requested pages over plain HTTP instead of encrypted connections. If they’re not paying close attention, the targeted users might never realize that they’re not visiting a secure page.
HSTS can also prevent man-in-the-middle attackers from potentially injecting malicious code into resources loaded on HTTPS pages from third-party locations over non-encrypted links, a common occurrence known as a mixed content issue.
“Without HSTS, browsers have no way of knowing that a website should be delivered securely, and so cannot alert you when a website that ought to be loaded securely (e.g. your bank’s website) is instead loaded via a normal connection (i.e. the unencrypted version the attacker sends to you instead),” said Jeremy Gillula, a staff technologist at the EFF, in a blog post Friday. “HSTS fixes that by allowing servers to send a message to the browser saying ‘Hey! Connections to me should be encrypted!’ and allowing browsers to understand and act on that message.”
However, the support for HSTS in browsers has been incomplete, which likely discouraged websites from enabling the mechanism.
“Only Chrome, Firefox, and Opera have had HSTS support for a significant period,” the EFF technologist said. “This is changing though: we noticed that Apple quietly added HSTS support to Safari in OS X 10.9. For now, Internet Explorer doesn’t support HSTS—which means that there’s basically no such thing as a secure website in IE.”
According to a March report by the SSL Pulse project, only 1,219 out of around 158,270 HTTPS-enabled sites had implemented HSTS. The SSL Pulse project regularly scans and tracks changes in the SSL implementations of the most popular HTTPS sites on the Internet as listed by Internet statistics firm Alexa.
According to Gillula, a Microsoft spokesperson told the EFF that the company is committed to adding support for HSTS in the next major release of Internet Explorer. “This means that with the next major release of IE, every major browser will support properly secured websites,” Gillula said.
Microsoft did not immediately respond to a request for comment sent Monday, but the company’s status.modern.ie website lists the HSTS feature as “in development.”
One problem with HSTS is that it assumes the first ever connection from a browser to a HTTPS website is achieved securely, without a man-in-the-middle attacker interfering and removing the HSTS policy header. In order to partially mitigate this problem Google Chrome and Mozilla Firefox contain pre-loaded lists of HSTS sites.
Users can also install the EFF’s HTTPS Everywhere browser extension to get almost the same effect on sites that support HTTPS, but don’t yet have HSTS enabled.
“HTTPS Everywhere automatically tells your browser to use secured connections on many (but not all) websites that support them; on many domains it functions like a client-initiated equivalent of the serverside HSTS mechanism,” Gillula said.