Web sites complying with the policy will automatically prompt browsers to interact with the site over a secure connection.
A Web security protocol designed to protect Internet users from Internet hijackings due to unencrypted Web sites has won approval as a proposed standard.
A elected committee for the Internet Engineering Task Force (IETF) approved a draft of HTTP Strict Transport Security (HSTS), an opt-in security protocol in which Web sites prompt browsers to always interact over a secure connection. Web browsers complying with the policy will automatically switch insecure links to a secure version of the site, using "https," without the Web surfer having to remember to type that in the URL bar.
HSTS is designed to protect against HTTP session hijacking, in which limited encryption used on many popular Web sites put user accounts at risk of compromise by someone snooping on session traffic between the user's computer and the site's server. Sites typically encrypt the username and password as they are transmitted, but unless the entire Web session is encrypted with someone sniffing the network could capture cookie information and use that information to access the user accounts.
The technology is already supported by sites and services such as PayPal, Blogspot, and Etsy. It's also included in the Chrome, Firefox 4, and Opera 12 Web browsers. However, Microsoft's Internet Explorer and Apple's Safari have not yet integrated HSTS.
