Communications of the ACM
Forcing Browsers to se Encryption
The Internet Engineering Task Force has developed a security mechanism to mitigate the threat from browser add-ons that allow attackers to easily capture the cookies that websites use to communicate with computers. When a website implements the security mechanism, known as HTTP Strict Transport Security (HSTS), the browsers of users visiting that site are forced to connect to a secure version of the page, regardless of whether the user types https into the URL bar.
HSTS addresses several security issues that arise when websites do not use encryption, including the hijacking of Web accounts over insecure Wi-Fi networks. HSTS already is being used in Google Chrome and the NoScript and Force-TLS plug-ins for Firefox. The next version of Firefox also will use HSTS, although Microsoft's Internet Explorer 9 does not support the mechanism.
Meanwhile, several websites, including PayPal, have begun using HSTS. Additional sites could adopt the mechanism once it is supported by more browsers, particularly Internet Explorer.
From CNet
View Full Article
Abstracts Copyright © 2010 Information Inc., Bethesda, Maryland, USA 
No entries found