HTTPS is old (it was devised in 1994 by Netscape for Navigator), but it has always been seen as optional for most sites. That is changing, as the number of real-world abuses of users on the web increases. Using HTTPS makes safe browsing much easier. 2 developments in web technology make it easier to use HTTPS more often. One is a client-side technology, the other a new server-client standard.
Many sites support HTTPS but don't default to it. In order to help users invoke HTTPS on the site, the EFF (Electronic Frontier Foundation) and the Tor Project created HTTPS Everywhere, a Firefox add-on which reviews all HTTP requests from the browser to sites on a whitelist and changes them to appropriate HTTPS requests. HTTPS Everywhere maintains rules for over 1000 sites on the whitelist.
There are some downsides to HTTPS Everywhere, starting with the fact that it only works with Firefox. Other browsers, such as Google Chrome, don't support the features (mainly request rewriting) that HTTPS Everywhere needs. This may change in the future. The other problem with the HTTPS Everywhere approach is that the maintainers of it need to keep up with the zillions of sites on the Internet as opposed to having a generic solution.
HSTS (HTTP Strict Transport Security) goes at the problem in a different way. It is a standard through which web sites can tell clients (mainly browsers) that they will only support HTTPS communications.
If a client makes an HTTP request and HSTS is enabled on the server, the server responds with a special header 'Strict-Transport-Security' and a 'max-age' parameter specifying the number of seconds during which the client may only reconnect over HTTPS. While the initial HTTP request is unprotected, the client should know to use only secure communications thereafter.
HSTS has been supported in Google Chrome and Firefox since version 4 of each browser. Many web sites, including PayPal and a number of Google subdomains (chrome.google.com, checkout.google.com, etc.), support it.
In the long run, standards like HSTS are a better solution than hacks like HTTPS Everywhere. Currently Internet Explorer has no support for either and I see no indication that Microsoft plans to support them (or that the EFF is interested in supporting Internet Explorer for that matter).
Source: pcmag.com
No comments:
Post a Comment