New web security policy mechanism on Google.com

in #google8 years ago

Google has taken additional measures to strengthen its data encryption by implementing HTTP Strict Transport Security (HSTS).
HTTP Strict Transport Security (HSTS) is a web security policy mechanism which helps to protect websites against protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers (or other complying user agents) should only interact with it using secure HTTPS connections, and never via the insecure HTTP protocol.Does steem do this?
While most of Google's data is already encrypted, Google's utilization of HSTS goes a step further by preventing users from mistakenly heading to HTTP URLs by converting potentially unsafe HTTP URLs into more secure HTTPS URLs. For instance, you might accidentally type in a URL without protocols and find yourself redirected to an unsafe destination. HSTS help curb those issues, especially among less internet-savvy users.

HSTS can be used to near-indelibly tag visiting browsers with recoverable identifying data (Supercookies) which can persist in and out of browser "incognito" modes, by creating a web page that makes multiple HTTP requests to selected domains; if (for example) 20 different requests/domains are used, one million visitors can be distinguished (binary, e.g., 2^20) on account of which resulting requests arrive via HTTP .vs. HTTPS, the latter being the previously recorded binary "bits" established earlier via HSTS headers.
Google is looking to deploy the changes as soon as possible, but there's still some additional work to be done before it's ready to go. HSTS is now active for Google's domain, however, in the meantime. It will be extended to additional domains and Google products soon.

When a browser knows that a domain has enabled HSTS, it does two things:
Always uses an https:// connection, even when clicking on an http:// link or after typing a domain into the location bar without specifying a protocol.
Removes the ability for users to click through warnings about invalid certificates.
A domain instructs browsers that it has enabled HSTS by returning an HTTP header over an HTTPS connection.

Source:
1.https://www.troyhunt.com/understanding-http-strict-transport/
2.https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet
3.https://www.engadget.com/2016/07/29/google-hsts-encryption/
4.https://security.googleblog.com/2016/07/bringing-hsts-to-wwwgooglecom.html

#trade #security #news
8 years ago in #google by
$0.00
    8 votes
    Reply 3
    Sort:  
  • Trending
    • [-]
     7 years ago  

    Good article

    $0.00
      Reply