HTTP Strict Transport Security Becomes Internet Standard 98
angry tapir writes "A Web security policy mechanism that promises to make HTTPS-enabled websites more resilient to various types of attacks has been approved and released as an Internet standard — but despite support from some high-profile websites, adoption elsewhere is still low. HTTP Strict Transport Security (HSTS) allows websites to declare themselves accessible only over HTTPS (HTTP Secure) and was designed to prevent hackers from forcing user connections over HTTP or abusing mistakes in HTTPS implementations to compromise content integrity."
Re:How to easily add HTTPS to a website? (Score:4, Interesting)
SSL certificates are not the problem: https://cert.startcom.org/ [startcom.org]
The problem is that some browsers (mainly IE on XP) don't support SNI, so your website needs a dedicated IPv4.
If you manage the machine, you can get a VPS with a dedicated IP for almost nothing (I pay $3/month), but managed web hosting is another issue.
Re:Server Load (Score:4, Interesting)
HTTPS-only is a hack from a lack of foresight and breaks caching.
What we need is a signature-only system for content that isn't private. There's no reason to encrypt the front page images on CNN to each user, but signing them so they are provably from CNN is valuable.