Sign In

Communications of the ACM

ACM TechNews

Forcing Browsers to ­se Encryption


View as: Print Mobile App Share: Send by email Share on reddit Share on StumbleUpon Share on Hacker News Share on Tweeter Share on Facebook

The Internet Engineering Task Force has developed a security mechanism to mitigate the threat from browser add-ons that allow attackers to easily capture the cookies that websites use to communicate with computers. When a website implements the security mechanism, known as HTTP Strict Transport Security (HSTS), the browsers of users visiting that site are forced to connect to a secure version of the page, regardless of whether the user types https into the URL bar.

HSTS addresses several security issues that arise when websites do not use encryption, including the hijacking of Web accounts over insecure Wi-Fi networks. HSTS already is being used in Google Chrome and the NoScript and Force-TLS plug-ins for Firefox. The next version of Firefox also will use HSTS, although Microsoft's Internet Explorer 9 does not support the mechanism.

Meanwhile, several websites, including PayPal, have begun using HSTS. Additional sites could adopt the mechanism once it is supported by more browsers, particularly Internet Explorer.

From CNet
View Full Article

 

Abstracts Copyright © 2010 Information Inc., Bethesda, Maryland, USA


 

No entries found

Sign In for Full Access
» Forgot Password? » Create an ACM Web Account