HSTS Update

Bruce Morton

HTTP Strict Transport Security (HSTS) will soon be finalized and available in an IETF standard. The request for comment (RFC) is at version 11 and the IESG has put out a last call for comments.

HSTS is a security policy mechanism where a Web server tells a supporting browser that it can only connect to it over secure connections (i.e., SSL). HSTS allows website operators to force secure connections with users that are using an HSTS-supporting browser. Supporting browsers include:  Google Chrome 4+, Firefox 4+ and Opera 12.

I have spoken about HSTS before in a previous blog post and will update again once it has been finalized.

Updated October 3, 2012: Jeff Hodges announced that HSTS has been approved by IESG as a proposed standard RFC.

Updated November 21, 2012: HSTS has been published as RFC 6797.

Bruce Morton
Bruce Morton
Director, Certificate Technology & Standards

Bruce Morton has worked in the public key infrastructure and digital certificate industry for more than 15 years and has focused on SSL and other publicly trusted certificates since 2005. He has been an active member of the CA/Browser Forum that released guidelines for extended validation (EV) certificates and Baseline Requirements for SSL certificates. Bruce oversees the governance and compliance of Entrust’s publicly trusted PKI.


Add to the Conversation