A Web security protocol designed to protect Internet users from Internet hijackings due to unencrypted Web sites has won approval as a proposed standard.
A steering group for the Internet Engineering Task Force (IETF) gave its blessing to a draft of HTTP Strict Transport Security (HSTS), an opt-in security enhancement in which Web sites prompt browsers accessing it to always interact with it over a secure connection.
Web browsers complying with the policy will automatically switch insecure links to site to a secure version of the site, using "https," without the Web surfer having to remember to type that in the URL bar.
HSTS is designed to deflect HTTP session hijacking, in which limited encryption used on many popular Web sites put user accounts at risk of compromise by someone snooping on session traffic between the user's computer and the site's server. Sites typically encrypt the username and password as they are transmitted, but unless the entire Web session is encrypted with "https," or secure hypertext transfer protocol, someone sniffing the network could capture the cookie information and use that to access the accounts.
Related stories
No comments:
Post a Comment