Help is on the way for Web surfers who run the risk of having their Facebook, Twitter, and other Web accounts hijacked over unsecured Wi-Fi networks and other security issues that result from sites not using encryption.
A Web security mechanism called HTTP Strict Transport Security (HSTS) is making its way through the IETF (Internet Engineering Task Force) standards process, and two of the major browsers are supporting it. Web sites that implement HSTS will prompt the browser to always connect to a secure version of the site, using "https," without the Web surfer having to remember to type that in the URL bar.
It will render useless tools like Firesheep, a Firefox add-on that lets people easily capture HTTP session cookies that sites use to communicate with computers. Firesheep was released at ToorCon last month.
HSTS is used in Google Chrome and the NoScript and Force-TLS Firefox plug-ins and is being implemented in the upcoming version of FireFox, according to a blog post by Jeff Hodges, a security engineer at PayPal. Hodges wrote the original draft specification for HSTS with Collin Jackson, a former Googler and current assistant research professor at Carnegie Mellon University Silicon Valley, and Adam Barth, a Google engineer.
"This allows for full-session encryption," Jackson told CNET. "A user won't see an insecure version of the site."
PayPal and other Web sites have started to use the feature and more are waiting to adopt it once it is implemented in more browsers, he said. "We're waiting on Microsoft to pick it up," Jackson said.
Asked if Microsoft is considering using HSTS in Internet Explorer, a spokesperson provided this comment: "We don't support it in IE9 but are committed to delivering trusted browsing experience and will continue to listen to customers."
Apple spokespeople did not respond to an e-mail asking for comment for this story.Update 4 p.m PST Nov. 16: The Electronic Frontier Foundation issued an appeal today to Microsoft and Apple to support HSTS in their browsers.
"Indeed, ultimately we expect HTTPS (and possibly SPDY) to replace HTTP entirely, the way SSH replaced Telnet and rsh," the EFF blog post says. "We recently enabled HSTS for eff.org. It took less than an hour to set up, and we found a way to do it without forcibly redirecting users to HTTPS, so we can state an unequivocal preference for HTTPS access while still making the site available in HTTP. It worked like a charm and a significant fraction of our users are now automatically accessing our site in HTTPS, perhaps without even knowing it."