Common use of HTTP Strict Transport Security (HSTS) Clause in Contracts

HTTP Strict Transport Security (HSTS). When a user enters a website name with- out specifying the protocol the insecure “http” protocol will be used by default, even if SSL/TLS (through the “https” protocol identifier) is available. A man-in-the-middle who has control of the connection between the user’s computer and the bank can pre- vent a user from ever connecting to the secure site by manipulating all replies from the bank [Marlinspike 2009]*. HTTP Strict Transport Security (HSTS) provides protec- tion against man-in-the-middle attacks that exploit this initial insecure connection by implementing an additional HTTP response header [Xxxxxx et al. 2012]*. This header instructs browsers that for future visits within a specific time frame only secure con- nections through SSL/TLS (“https”) should be allowed. To also protect the first visit, browser updates include a list of sites that should only be visited securely. (Retro)fitting web servers with HSTS support is quite simple, since only a HTTP response header has to be added to its existing configuration. An example that states that only secure connections should be allowed for a year would be Strict-Transport-Security: max- age 31536000. Note that this yearly counter is updated every time the user visits the site, making it unlikely that it would ever expire if the user visits the site regularly. Despite its simplicity, HSTS is only implemented by a few banks in our survey.