Researchers are wielding the same strange properties that drive quantum computers to create hack-proof forms of data encryption.

Recent advances in quantum computers may soon give hackers access to machines powerful enough to crack even the toughest of standard internet security codes. With these codes broken, all of our online data -- from medical records to bank transactions -- could be vulnerable to attack.

To fight back against the future threat, researchers are wielding the same strange properties that drive quantum computers to create theoretically hack-proof forms of quantum data encryption.

And now, these quantum encryption techniques may be one step closer to wide-scale use thanks to a new system developed by scientists at Duke University, The Ohio State University and Oak Ridge National Laboratory. Their system is capable of creating and distributing encryption codes at megabit-per-second rates, which is five to 10 times faster than existing methods and on par with current internet speeds when running several systems in parallel.


The researchers demonstrate that the technique is secure from common attacks, even in the face of equipment flaws that could open up leaks.

“We are now likely to have a functioning quantum computer that might be able to start breaking the existing cryptographic codes in the near future,” said Daniel Gauthier, a professor of physics at The Ohio State University. “We really need to be thinking hard now of different techniques that we could use for trying to secure the internet.”

The results appear online Nov. 24 in Science Advances.

To a hacker, our online purchases, bank transactions and medical records all look like gibberish due to ciphers called encryption keys. Personal information sent over the web is first scrambled using one of these keys, and then unscrambled by the receiver using the same key. 

For this system to work, both parties must have access to the same key, and it must be kept secret. Quantum key distribution (QKD) takes advantage of one of the fundamental properties of quantum mechanics -- measuring tiny bits of matter like electrons or photons automatically changes their properties -- to exchange keys in a way that immediately alerts both parties to the existence of a security breach. 

Though QKD was first theorized in 1984 and implemented shortly thereafter, the technologies to support its wide-scale use are only now coming online. Companies in Europe now sell laser-based systems for QKD, and in a highly-publicized event last summer, China used a satellite to send a quantum key to two land-based stations located 1200 km apart.

The problem with many of these systems, said Nurul Taimur Islam, a graduate student in physics at Duke, is that they can only transmit keys at relatively low rates -- between tens to hundreds of kilobits per second -- which are too slow for most practical uses on the internet.

“At these rates, quantum-secure encryption systems cannot support some basic daily tasks, such as hosting an encrypted telephone call or video streaming,” Islam said.

Like many QKD systems, Islam’s key transmitter uses a weakened laser to encode information on individual photons of light. But they found a way to pack more information onto each photon, making their technique faster.

By adjusting the time at which the photon is released, and a property of the photon called the phase, their system can encode two bits of information per photon instead of one. This trick, paired with high-speed detectors developed by Clinton Cahall, graduate student in electrical and computer engineering, and Jungsang Kim, professor of electrical and computer engineering at Duke, powers their system to transmit keys five to 10 times faster than other methods.

“It was changing these additional properties of the photon that allowed us to almost double the secure key rate that we were able to obtain if we hadn’t done that,” said Gauthier, who began the work as a professor of physics at Duke before moving to OSU.


In a perfect world, QKD would be perfectly secure. Any attempt to hack a key exchange would leave errors on the transmission that could be easily spotted by the receiver. But real-world implementations of QKD require imperfect equipment, and these imperfections open up leaks that hackers can exploit.

The researchers carefully characterized the limitations of each piece of equipment they used. They then worked with Charles Lim, currently a professor of electrical and computer engineering at the National University of Singapore, to incorporate these experimental flaws into the theory.

“We wanted to identify every experimental flaw in the system, and include these flaws in the theory so that we could ensure our system is secure and there is no potential side-channel attack,” Islam said.

Though their transmitter requires some specialty parts, all of the components are currently available commercially. Encryption keys encoded in photons of light can be sent over existing optical fiber lines that burrow under cities, making it relatively straightforward to integrate their transmitter and receiver into the current internet infrastructure.

“All of this equipment, apart from the single-photon detectors, exist in the telecommunications industry, and with some engineering we could probably fit the entire transmitter and receiver in a box as big as a computer CPU,” Islam said.

This research was supported by the Office of Naval Research Multidisciplinary University Research Initiative program on Wavelength-Agile QKD in a AQ12 Marine Environment (N00014-13-1-0627) and the Defense Advanced Research Projects Agency Defense Sciences Office Information in a Photon program. Additional support was provided by Oak Ridge National Laboratory, operated by UT-Battelle for the U.S. Department of Energy under contract no. DE-AC05-00OR22725, and National University of Singapore startup grant R-263-000-C78-133/731.

CITATION:  "Provably Secure and High-Rate Quantum Key Distribution With Time-Bin Qudits," Nurul T. Islam, Charles Ci Wen Lim, Clinton Cahall, Jungsang Kim and Daniel J. Gauthier. Science Advances, Nov. 24, 2017. DOI: 10.1126/sciadv.1701491

Source: This article was published today.duke.edu By AKARA MANKE

Categorized in Internet Privacy

Last week, I set out my reasons for expecting serious civil liberties and privacy problems under a Trump presidency. I strongly recommended that you take steps to protect yourself — steps I’m going to outline shortly.

We now live under conditions that would make the great authoritarians of yore salivate with envy. Government’s capacity to monitor us has never been greater. And, as that capacity advances, politicians and bureaucrats adjust their understanding of privacy and constitutional liberties in ways that allow them to use it.

The only thing that prevents them from defining those things out of existence entirely is the residual respect for constitutionality held by those in key positions. As I argued last week, evidence of such respect is very thin indeed in the incoming Trump administration.

San Francisco transport system Headphone Yahoo Hack Facebook crime

That’s why, love him or hate him, you need to be prepared…

Privacy Is Your Responsibility

No matter who’s in charge, government always finds a way to justify new methods to invade our privacy.

For example, the Justice Department’s legal rationale for monitoring our emails and phone calls is based on the old-fashioned postal letter. Back when snail mail was king, courts ruled that any information on the outside of a letter — addressee, return address, place of posting — was in the public domain, and therefore available to government investigators. That’s why the post office scans and records every single piece of mail in the U.S. … every day.

That logic now applies to the metadata of every call you make and every email you send. Soon it may apply to your Web browsing history as well. I simply don’t trust Trump’s key appointees to resist that logic. So, here’s what I recommend:

  1. Get Signal and/or WhatsApp for mobile messages:Signal is a sophisticated Swiss messaging app that fully encrypts all your text messages. It requires both parties to use it, so it isn’t ideal for everything. Nevertheless, Moxie Marlinspike, the founder of Open Whisper Systems, Signal’s developer, says there has been a huge expansion in their user base since the election. So you’ll probably find more Signalers on your contact list as time goes on.WhatsApp is an alternative that encrypts your messaging and VoIP calls. It isn’t as secure as Signal because it’s owned by Facebook, whose approach to court orders is uncertain, but for ordinary purposes it will prevent real-time monitoring of your communications.
  2. Encrypt your computer’s hard drive: As I describe in Privacy Code 2.0, full disk encryption makes the contents of your computer totally unintelligible to anyone without the password. For example, if you are stopped by Homeland Security upon return to the U.S., your laptop can be searched before you officially enter the U.S. But if it’s encrypted, no law says you must divulge the password.Both Apple and Windows computers have automatic encryption built in if you activate it. That’s fine for most purposes, but if you want added security, a free, easy to use open-source encryption utility can be found here.
  3. Get a password manager: Using secure apps and utilities like those above means having passwords — lots of them. Don’t write them on your palm. Get a password manager that stores them (encrypted, of course) in one place and generates and even changes passwords for you.Personally, I use Dashlane. Other good password managers are 1Password and KeePass. I don’t recommend LastPass, another popular one, because they allowed themselves to be hacked last year. That’s just not good enough.
  4. Use two-factor authentication: Most email programs, cloud storage utilities, banking apps, social media and other sensitive applications these days offer two-factor authentication (TFA). TFA requires that every time you sign in, you go through a secondary layer of security: a code to enter at login that is sent to your phone via text message. Some offer such codes via email, but don’t use it. If hackers gain access to your email, they can get access to your accounts by having TFA codes sent to them.
  5. Use HTTPS Everywhere: My friends at the Electronic Frontier Foundation developed a browser plug-in for Firefox and Chrome that forces websites you visit to use the most secure connection protocol. If encryption is available on the site you visit, your connection to the site will be encrypted, and you will be protected from various forms of surveillance and hacking during that session.
  6. Don’t rely on your browser’s “incognito mode” to do things it wasn’t meant to do: Browsers like Chrome, Safari, Opera, Firefox and Microsoft Edge allow you to start a browsing session that doesn’t record anything you do during that session. Any websites visited, cookies downloaded or other connection stats will be wiped clean when you end the session.“Private” browsing modes thus protect you from searches of your computer. But unless you’re connecting to an encrypted site (via HTTPS Everywhere, for example), whoever operates the site can collect all your browsing data anyway since it is recorded by the site’s server.
  7. Use DuckDuckGo for sensitive searches: If you’re not convinced that Google’s motto “do no evil” is anything more than a marketing ploy, use DuckDuckGo, an alternative search engine that doesn’t record your searches or anything else about you. It produces great results, so you won’t really lose much by using it instead of Google.
  8. Use a virtual private network (VPN): As my privacy report explains, a VPN is the best all-around protection you can get on the Internet, because it encrypts everything you do, including your identity and location. VPNs can be used on both your computers and your phones. That’s important, because as Eva Galperin, global-policy analyst at the Electronic Frontier Foundation, says, “Logging into airport Wi-Fi without using a VPN is the unprotected sex of the Internet.”As a bonus, you can also use a VPN to spoof your location and gain access to region-locked streaming content, like Amazon Prime, when you are abroad. The only downside is that they slow your connection a bit. VPNs are provided by specialized hosting companies that charge about $5 a month for the service. A good selection can be found here.


These techniques make some or all of your electronic communications and data instantly invisible to anyone. They use levels of encryption that would take a bank of supercomputers hundreds of years to break.

When it comes to protecting your privacy, now is the time … because afterward is too late.

Author:  The Sovereign Investor

Source:  http://www.valuewalk.com/

Categorized in Internet Privacy

Looming behind the excitement at SC16 around new digital enterprise strategies is the growing menace of cyber-attacks. But in spite of these worries, the state of cybersecurity readiness at too many companies is woefully inadequate. 

That’s the finding of Bob Sorensen, research vice president, HPC Group, at industry watcher IDC delivered at the analyst group’s annual HPC Update breakfast at SC16 this week in Salt Lake City. Sorensen’s message: If your company has the characteristics of a cybersecurity “worst practitioner” (which tends to be among public utilities, hospitals and universities – manufacturers are generally “middle of the pack”), the time to adopt new cybersecurity strategies is now.

IDC conducted a study of cybersecurity at 62 large industries in the U.S. and Europeacross the financial services, technology, manufacturing, retail, hospital and academic sectors. Here are excerpts of his comments:

The State of Cybersecurity

The key concerns that came out in our study: Most US companies are underprepared to deal with cybersecurity threats. Even though there are lots of good best practices, they’re only being conducted by a small number of leading-edge firms. On average, firms are not availing themselves of what’s readily available, and that’s a cause for concern.

Detecting a breach can take up to two years. That’s really a disturbing concept, that someone could be nosing around corporate data that’s not only unprotected, not just to steal data, but to change it. Data integrity is a concern, the idea that the data you’re using to make critical decisions in research or business process environments may not be the right data, it may have been changed for nefarious reasons. It’s one of the silent concerns.


The Big Fear: Reputation Damage

One of the things we found with the Target breach, a very public intrusion, is that Target really didn’t take a huge financial hit on the actual intrusion itself. There was insurance in place, there was pushing off losses to the finance companies that Target deals with.

What we found, what really scares companies, isn’t the loss of dollars, it’s the loss of reputation, which brings with it a future loss of income that you simply cannot determine. Companies…can buy insurance for a particular hit, that’s a known quantity, but what they can’t do is figure out how that affects their line of business down the line. Which speaks in some sense to the idea that there’s probably a lot of cyber-attacks we’re not finding out about simply because it benefits these companies greatly to keep attacks under wraps as long as possible.

Malware Manners

We heard this time and again: malware people are conducing themselves in a very proper and organized manner. The thinking with a lot of them is…they don’t charge too much because they don’t want to kill the goose that laid the golden egg. (Malware practitioners think of it as) a very refined, respectable business to be in. You come in and say: ‘Give us some money and we’ll go away.’ You give them money and they do go away because if they don’t, no one’s going to give them more money. And if they ask for too much money there are going to be problems. So right now it’s a very genteel world out there for malware.

Conflicting Priorities: Security and Access

IDC's Bob Sorensen

IDC’s Bob Sorensen

There’s a major tradeoff between security and easy access (to the network and to data). It’s something every business has to deal with. We asked questions about balancing security and processes, and the underlying goal is: ‘We have to do both, we can’t sacrifice our business plan for our cybersecurity.’ We found time and again even among the best practitioners in data security: Job 1 is conducting business, and that process is king. This is handed down from the board of directors of the company, and then they tell cybersecurity teams, ‘Make us secure under this realm.’

Proliferating Points of Attack

Heterogeneity is a problem: the idea of ‘bring your own device,’ multiple operating systems, clouds. There are lots and lots of end points out there, lots of way to enter a network, and these are things cybersecurity folks are definitely worried about.

We talked to the cybersecurity chief at Nike, he said he has 59 (network) access points to worry about every day because he has to make everyone who gets on the Nike website, who wants to look at the new and latest sneaker, has access, can order, can conduct business. That’s his job, and he has to work within those confines.

There is increasing access from the network edges. The one I would point out is suppliers. Supply chain issues I think are really interesting. More and more large industrial companies are increasingly tied electronically to their supply chain, and that is a real vulnerability….

Worst Practices: Wait and See

A lot of the worst practitioners really just buy insurance…. The worst practitioners time after time said, ‘We have the best tools, life has got to be good.’ The story we like to repeat: the companies that seem to be most sanguine with their cybersecurity infrastructure say: ‘We’ve never been hit before so we must be doing something right.’ They weren’t terribly forward looking when it came to actually making sure they were more secure….

Everybody (in the survey) had data breach plans, but… a lot of them were not IT-related. The thinking wasn’t to gather up forensics and figure out how to plug holes. It was how to deal with the publicity aspect, the legal aspects, the privacy concerns, the possibility of getting sued. This surprised us….

Best Practices: People vs. People

One thing we found is that the best practitioners see this as a people vs people battle. This is not a tool war where as long as you have the best software, as long as you roll out the patches when you’re supposed to, then life is good. It’s really about finding, hiring and retaining the best people to go after the people who are trying to get at you.

Best Practices: Be Proactive

An interesting concept that we see is that proactive cybersecurity team think in terms of educating the user base within their companies. They’re not just sitting back and making sure the patches are installed and making sure everyone changes their password every six months. It’s really more about reaching out…to the individual people within firms and making sure they understand their roles.


For example, one company closely watches social media. And they look for key events that they think could trigger a phishing attack. When it became known that Prince had died, they sent out an email to their entire company saying there’s a good chance you’re going to get an email in the next 24 hours asking if you want to see the Prince tribute video. So the idea is to proactively get employees to be aware of what their responsibilities are.

Another story we heard is about companies buying stolen credit card numbers. Not because they want to get involved in law enforcement but because it’s cheaper to buy stolen credit card numbers and put them in your database. So if someone tries to buy something with a stolen number you can kick them out. It’s an interesting, proactive way to do this.

So the good cybersecurity team isn’t waiting for problems, it’s going after solving them before they happen.


Data Scientists and Cybersecurity

Most companies aren’t using Big Data (for cybersecurity purposes) in the sense that we in the HPC community think about Big Data… When we asked companies why they weren’t using Big Data, they said they can’t find Big Data scientists who know how to do cybersecurity.

And when we went to companies that have lines of business that use smart data scientists, they said, ‘Yeah, they’re over there contributing to the bottom line of the company. We can’t bring them over to cybersecurity, they’re going to stay over there making money for the company.’

Virtual Cybersecurity Data Science

What I see in the future is really where HPC comes into play here. The goal for a lot of cybersecurity teams is real-time intrusion detection. They want to have a dashboard that tells them something odd has happened in the network. And a lot of folks think that deep learning – the idea that you have a system that monitors the steady state of the network and rises to the attention of humans where something has gone awry.

We’re going to see more efforts for high powered systems and deep learning to do real-time monitoring…almost as a way to get companies out of having to find data scientists. This might be an ultimate method toward dealing with cybersecurity… It’s something the HPC world is going to be involved in much more going forward.

Author:  Doug Black

Source:  https://www.hpcwire.com

Categorized in Internet Privacy

How can you trust a secret if you can't tell where it came from? Today, we are excited to share that the Internet Society is a proud supporter of the Cryptech initiative. From the website introduction:

Recent revelations have called into question the integrity of some of the implementations of basic cryptographic functions and devices used to secure communications on the Internet. There are serious questions about algorithms and about implementations of those algorithms in software and particularly hardware.

We are therefore embarking on development of an open hardware cryptographic engine that meets the needs of high assurance Internet infrastructure systems that rely on cryptography. The open hardware cryptographic engine will be of general use to the wider Internet community, covering needs such as secure email, web, DNS, PKIs, etc.

In his recent blog post on Pervasive Internet Surveillance, Phil Roberts enumerated some of the technical efforts underway in the IETF as a result of this past year’s ongoing revelations about unwarranted surveillance and data collection. The IETF is not the only organization involved in attempts to block or mitigate what some have characterized as an attack on the Internet itself. Recent announcements include attempts to secure email (ProtonMail, Darkmail, etc.), to secure your mobile phone (Blackphone), to put better tools in the hands of end users (leap.se), and to provide private messaging services (jabber/otr), to name just a few. There are also serious efforts to secure the routing and domain name infrastructure, which rely on underlying methods for generating and protecting strong keys for encryption.


All of these projects depend on strong encryption and strong keys as tools to both establish trust and to protect sensitive data. Sadly, trust in many of the components needed to achieve real secrecy has been undermined. Core components such as entropy, cryptographic algorithms, and purpose-built hardware have all been compromised. Some of this has been malicious, some was the result of pressure from governments, some was due to the failure of business practices in deployment, and some was the result of underfunded and understaffed volunteer efforts in maintaining widely used software. The combined result has lead to widespread doubt in formerly trusted institutions, developers, and vendors. For many, even those using these products and tools as part of their critical infrastructure, the process of key generation and key management is a black box.

Here is the paradox: how can you trust the generated secrets if you can't tell how the box was made? The Cryptech project poses the following riddle: when do you want your black box to be transparent? The answer: while you're building and configuring your own particular box.

The Cryptech effort began in late 2013 with a small group of engineers at a side meeting at IETF 88 in Vancouver. The project has strong support from the IETF and IAB chairs but the project is not limited to IETF participation. While early use cases included IETF protocols such as RPKI and DNSSEC, there was also interest from Certificate Authorities, the TOR Project, and others. Cryptech is aimed at those processes requiring a very high degree of assurance – normally provided by purchasing a Hardware Security Module (HSM) – but in this case they will replace the closed box with an open one. One of the project objectives says: 

“The intent is that the resulting open hardware cryptographic engine can be built by anyone from public hardware specifications and open-source firmware. Anyone can then operate it without fees of any kind.”

Stephen Farrell, an IETF Security Area Director, had this to say in supporting the project:

“The particular aspect that the cryptech folks are addressing is that there is somewhat of a crisis of confidence in the implementation of the cryptographic functions that underpin our most important Internet protocols. These functions are required for securing the web and for many other aspects of Internet infrastructure such as DNS security and routing security. Cryptech and the team that has been assembled could significantly help to alleviate these specific concerns by producing open-source hardware designs that can be directly used or re-implemented by others. A significant benefit of that is to provide confidence that the design and implementation is as free from potential nation-state or other interference as can be. While it may never be possible to achieve 100% confidence in that, it is definitely technically possible (though non-trivial) to do far better than we have to date – today we essentially have a choice between pure software cryptography or commercial hardware products for which its impossible to see what's "under the hood."”

The Internet Society is in strong agreement with this statement and has been an early supporter of this effort. We are actively encouraging additional partners. The project will need steady funding sources, active coders, good community review, and additional experts to audit and validate the project outputs.

The Cryptech team has been evangelizing the project and will be on hand at IETF 90for a project update. The briefing will be held on Wednesday, 23 July, during the lunch hour in the Quebec room of the Fairmont Royal York Hotel in Toronto. Please come and bring your questions and your inputs.

Details of the Cryptech project can be found here: https://wiki.cryptech.is. The project is hosted by SUNET, but participants come from a variety of sources including academia, the open hardware and software communities, the TOR project, and the IETF. The team is committed to a transparent development process and early code is available at https://cryptech.is/browser.internetsociety.org

Please join us in this effort to help make the Internet a safer place.

Source:  internetsociety.org

Categorized in Market Research

A responsibility that Facebook has with its users is that it needs to ensure that your account is not easily hackable. This means creating security systems, but there is always a problem: the most vulnerable point of any online system is the user who does not care right to their own information.

This usually comes in the form of insecure and repeated passwords. Then, no matter if the company built the Fort Knox; if someone has your email address and the password is "123456", your only chance of not being hacked is to have two-step authentication enabled. Face it: if your password really is "123456", you probably also have not activated the second verification step.

However, Facebook has taken a very unorthodox place to deal with this problem. Alex Stamos, chief security officer in the company, told CNET today the company negotiates directly with cybercrime in the deep web to buy databases with passwords stolen by hackers.

The fact is that these databases stolen end up revealing enough of human behavior on the Internet. By analyzing a huge amount of passwords, you can see patterns of which are those most recurrent, and therefore more fragile. On a bench 1 million keywords, imagine how many "123456" will not arise. Suddenly, you can see that many people are using the password "kittens", and it became dangerous.


By purchasing these stolen banks, Facebook can do this analysis and compare it with your own database (encrypted, it is true) passwords. Stamos reveals that to make this work, which is quite heavy for company computers, the social network was able to alert tens of millions of users that their passwords were not safe.

The executive explains that Facebook has the tools to offer more security to users, such as the aforementioned two-step authentication. It is the person's prerogative to use these tools or not, but the company says it is his responsibility to take care of those who choose not to activate the features.

Source:  olhardigital.uol.com.br

Categorized in Internet Technology

Amnesty International ranked well-known services, with Apple coming second on the list with its iMessage and FaceTime apps.

"We are already in an age where incredible amounts of people's personal data is online and that is rapidly increasing," says Joe Westby, a technology researcher for the human rights group.

Snapchat and Skype were much lower down the list and Westby warns that "there won't be any privacy in the future".

Part of the research looked at how open companies are to requests for data from governments.

"To date, Snapchat has not received any formal government demands for a 'backdoor' but if the day was to come then we would oppose it, just like any other measure that would compromise [user] security," the firm told Newsbeat.

Researchers also looked at whether "end-to-end" security comes as standard on the most used platforms.

End-to-end refers to a type of secure communication that prevents anyone else from accessing your data while it's transferred from one system or device to another.


"Only 10 years ago nobody had smartphones and in 10 years time everything will be online - from your kettle to your house," Joe Westby says.

"So we need to put in place these privacy protections now otherwise there won't be any privacy in the future."

A Syrian woman speaks on her mobile phone
Image caption A Syrian woman speaks on her mobile phone before the civil war

Your data and your human rights

"Online threats are growing, from cyber criminals who may be seeking to steal people's identity to massive government snooping that we have seen exposed recently.

Most 'secure' app providers, according to Amnesty International

    • Facebook Messenger and WhatsApp
    • Apple
    • Telegram
    • Google
    • Line
    • Viber
    • Kakao Inc
    • Skype
    • Snapchat
    • Blackberry
    • Tencent

"That is where government agencies hoover up loads of data about people and we argue that's a breach of everybody's human rights."

End-to-end encryption helps ensure that nobody can read your content or see your pictures except for the people in the conversation.

Amnesty is putting pressure on companies to "protect everybody using these apps".

But it's not all about encryption

The study also looked at how well each company recognises online threats to users' privacy and freedom of expression.

The campaign group thinks tech firms should disclose details of government requests for user data.

No app is being named 'completely secure' but...

The Signal app is "often seen as the gold standard in security" and "it is a service which a lot of cyber security experts, like Edward Snowden, have endorsed as a particularly secure tool" according to the research.

But they didn't include it in the rankings as it's not considered a mainstream platform.

Source : bbc.co.uk

Categorized in Market Research

On Friday, Google security team announced that they finished implementing HSTS support for all the company's products running on the google.com domain.

The move comes after months of testing to make sure the feature covered all the services, including APIs, not just the main Web interfaces.

HSTS stands for HTTP Strict Transport Security and is a Web security protocol supported by all of today's browsers and Web servers.

HSTS protects HTTPS against several SSL attacks

The technology allows webmasters to protect their service and their users against HTTPS downgrades, man-in-the-middle attacks, and cookie hijacking for HTTPS connections.

The protocol prevents users from going back to an HTTP connection when accessing Google over HTTPS, and forcibly redirects them to HTTPS connections when possible.

The technology is widely regarded as the best way to protect HTTPS connections against the most common attacks on SSL but has not been widely adopted.

95% of HTTPS websites still don't use HSTS

A study from Netcraft conducted last March showed that 95% of all servers running HTTPS either fail to set up HSTS or come with configuration errors. As such, Google's team has spent a great amount of time testing.

"Ordinarily, implementing HSTS is a relatively basic process," Google's Jay Brown, Sr. Technical Program Manager, explained on Friday. "However, due to Google's particular complexities, we needed to do some extra prep work that most other domains wouldn't have needed to do. For example, we had to address mixed content, bad HREFs, redirects to HTTP, and other issues like updating legacy services which could cause problems for users as they try to access our core domain."

During HSTS tests, Brown says that the team managed to break Google's famous Santa Tracker last December. The problem was fixed, but this only comes to show the wide spectrum of products the engineers had to ensure were working properly after HSTS deployment.


Categorized in Search Engine


Association of Internet Research Specialists is the world's leading community for the Internet Research Specialist and provide a Unified Platform that delivers, Education, Training and Certification for Online Research.

Get Exclusive Research Tips in Your Inbox

Receive Great tips via email, enter your email to Subscribe.

Follow Us on Social Media