descLOG

Help is on the way for Web surfers who run the risk of having their Facebook, Twitter, and other Web accounts hijacked over unsecured Wi-Fi networks and other security issues that result from sites not using encryption.

A Web security mechanism called HTTP Strict Transport Security (HSTS) is making its way through the IETF (Internet Engineering Task Force) standards process, and two of the major browsers are supporting it. Web sites that implement HSTS will prompt the browser to always connect to a secure version of the site, using “https,” without the Web surfer having to remember to type that in the URL bar.

It will render useless tools like Firesheep, a Firefox add-on that lets people easily capture HTTP session cookies that sites use to communicate with computers. Firesheep was released at ToorCon last month.

HSTS is used in Google Chrome and the NoScript and Force-TLS Firefox plug-ins and is being implemented in the upcoming version of FireFox, according to a blog post by Jeff Hodges, a security engineer at PayPal. Hodges wrote the original draft specification for HSTS with Collin Jackson, a former Googler and current assistant research professor at Carnegie Mellon University Silicon Valley, and Adam Barth, a Google engineer.

“This allows for full-session encryption,” Jackson told CNET. “A user won’t see an insecure version of the site.”

PayPal and other Web sites have started to use the feature and more are waiting to adopt it once it is implemented in more browsers, he said. “We’re waiting on Microsoft to pick it up,” Jackson said.

Asked if Microsoft is considering using HSTS in Internet Explorer, a spokesperson provided this comment: “We don’t support it in IE9 but are committed to delivering trusted browsing experience and will continue to listen to customers.”

Credit to Cnet