A Web security protocol designed to protect Internet users from Internet hijackings due to unencrypted Web sites has won approval as a proposed standard.
A steering group for the Internet Engineering Task Force (IETF) gave its blessing to a draft of HTTP Strict Transport Security (HSTS), an opt-in security enhancement in which Web sites prompt browsers to always interact over a secure connection.
Web browsers complying with the policy will automatically switch insecure links to a secure version of the site, using “https,” without the Web surfer having to remember to type that in the URL bar.
HSTS is designed to deflect HTTP session hijacking, in which limited encryption used on many popular Web sites put user accounts at risk of compromise by someone snooping on session traffic between the user’s computer and the site’s server. Sites typically encrypt the username and password as they are transmitted, but unless the entire Web session is encrypted with “https,” or secure hypertext transfer protocol, someone sniffing the network could capture the cookie information and use that to access the accounts.
Whether the proposal is accepted as a standard depends on its degree of technical maturity and whether there is a general consensus that the protocol provides significant benefit to the Internet community.
The technology is already supported by sites and services such as PayPal, Blogspot, and Etsy. It’s also included in the Chrome, Firefox4, and Opera 12 Web browsers. However, Microsoft’s Internet Explorer and Apple’sSafari have not yet embraced HSTS.