, Connections Now Encrypted By HTTP Strict Transport Security

Posted by at 11:19 am on August 2, 2016 was one of the first major online services to adopt HTTPS encryption by default, which it did years ago. The site is now adding the HTTP Strict Transport Security (HSTS) feature, which means users won’t be able to reach the site unless they do it through the encrypted channel. Google also announced that would also gain HSTS protection.

Normally, people go to a site by typing the domain name into the address bar of their browser. However, they don’t usually include “https://” before writing that domain name, which means the browser will point them to the unencrypted version of the site. Most sites that use HTTPS encryption will automatically redirect you to the encrypted version of the site even if you enter its name without “https://” in front.

The problem is there is still a small window of opportunity for an attacker to take advantage of the redirect. It also allows attackers to strip the SSL protection and downgrade the connection to HTTP.

The HSTS policy can guarantee that a user can only access the website through an encrypted HTTPS channel after a person’s first visit to a site. The visitor’s browser will remember that the site uses HSTS, and it will only allow HTTPS connections for that site until the header expires.

For now, the HSTS header will have an expiration date of only one day as the company continues to experiment with the change. Every day a visitor will get a new HSTS header that will last another day, and so on. The limited window isn’t ideal because every day there will be a chance for an attacker to downgrade the user’s connection to from HTTPS to HTTP before the user receives the new header.

Google allows the HSTS headers to expire so soon (for now) because if something goes wrong, its users will be locked out of using for only a day, rather than a month or more. The company also gave an example of this feature breaking its Santa Tracker just before Christmas last year, although Google was able to fix it by Christmas Eve. Over the next few months, and after much more live testing on, the company plans to extend the header lifecycle to at least one year.

Google said that it would protect by HSTS as well, which not only increases security, but it also cuts down the latency for its users. The company also added that it would secure over an encrypted HTTPS channel for 97 percent of its users. Google can’t protect the remaining 3 percent of users with modern HTTPS right now, but as they get new devices, it will protect them as well.

Leave a Reply

Sign Up For Our Newsletter

Sign up to receive breaking news
as well as receive other site updates

Enter your Email

Preview | Powered by FeedBlitz

Log in

Copyright © 2008 - 2023 · StreetCorner Media , LLC· All Rights Reserved ·