Portal topics
Random portal

The Internet Portal

Selected article

The Signpost (formerly The Wikipedia Signpost) is the Wikimedia movement's online newspaper. Managed by the volunteer community, it is published online with contributions from Wikimedia editors. The newspaper's scope includes the Wikimedia community and events related to Wikipedia, including Arbitration Committee rulings, Wikimedia Foundation issues, and other Wikipedia-related projects. It was founded in January 2005 by Wikipedian Michael Snow, who continued as a contributor until his February 2008 appointment to the Wikimedia Foundation's Board of Trustees.

Former editor-in-chief The ed17 noted that during his tenure, from 2012 to 2015, the publication expanded its scope to report on the wider Wikimedia movement in addition to Wikipedia and its community. After it reported on the changes to European freedom of panorama law in June 2015, a number of publications referred to The Signpost for further information. (Full article...)

Selected picture

iPhone at MacWorld
iPhone at MacWorld
Credit: Pangkakit

The iPhone is a multimedia, Internet-enabled mobile phone designed and marketed by Apple Inc. It has a multi-touch screen with virtual keyboard and buttons. The iPhone was introduced, first in the United States on June 29, 2007 with much media frenzy and then in the United Kingdom, Germany and France in November 2007. It was named Time magazine's Invention of the Year in 2007.




  • Main project: WikiProject Internet
  • Related WikiProjects: Blogging • Websites • Early Web History • Internet culture

Did you know (auto-generated) - load new batch

  • ... that the Backrooms is associated with an Internet aesthetic which includes images of eerie and uninhabited spaces?
  • ... that the song "Dance the Night" killed a viral meme about Dua Lipa's hip twist, as news about the song replaced it in online search results?
  • ... that the music minister, seminary student, and pageant contestant Leah Boyd became an Internet celebrity due to her comedic and satirical commentary on Twitter?
  • ... that Internet activist Sally Burch was refused entry into Argentina because her presence was considered to be disruptive?
  • ... that a pro-EU explanation of how Baileys is made, given by British MP Mike Gapes, was described as being "infinitely memeable" and giving him a "bizarre online infamy"?
  • ... that Kraft Heinz was "intrigued" by the fake product image of Mayoreo that became an Internet meme in June 2021?

Selected biography

Steve Jobs in 2005
Steve Paul Jobs (born February 24, 1955) was the American co-founder, Chairman and CEO of Apple Inc, and was the CEO of Pixar Animation Studios until it was acquired by the Walt Disney Company in 2006. Jobs is currently the Walt Disney Company's largest individual shareholder and a member of its Board of Directors. He is considered a leading figure in both the computer and entertainment industries. He is also widely credited as the inventor of the Macintosh, the iPod, the iTunes Store, and the iPhone. Jobs's history in business has contributed greatly to the myths of the quirky, individualistic Silicon Valley entrepreneur, emphasizing the importance of design while understanding the crucial role aesthetics play in public appeal. Together with Apple co-founder Steve Wozniak, Jobs helped popularize the personal computer in the late '70s. In the early '80s, still at Apple, Jobs was among the first to see the commercial potential of the mouse-driven GUI. After losing a power struggle with the board of directors in 1985, Jobs resigned from Apple and founded NeXT, a computer platform development company specializing in the higher education and business markets. Next's subsequent 1997 buyout by Apple brought Jobs back to the company he co-founded, and he has served as its chief executive officer since shortly after his return.

General images - load new batch

The following are images from various internet-related articles on Wikipedia.

Selected quote

Bill Clinton
Nobody who wasn't a high-energy physicist had even heard of the World Wide Web before I became President. And now even my cat, Socks, has his own page.
Bill Clinton, 1996

More Did you know...

Pete Ashdown

Main topics

HTTP Strict Transport Security (HSTS) is a policy mechanism that helps to protect websites against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers (or other complying user agents) should automatically interact with it using only HTTPS connections, which provide Transport Layer Security (TLS/SSL), unlike the insecure HTTP used alone. HSTS is an IETF standards track protocol and is specified in RFC 6797.

The HSTS Policy is communicated by the server to the user agent via an HTTP response header field named Strict-Transport-Security. HSTS Policy specifies a period of time during which the user agent should only access the server in a secure fashion. Websites using HSTS often do not accept clear text HTTP, either by rejecting connections over HTTP or systematically redirecting users to HTTPS (though this is not required by the specification). The consequence of this is that a user-agent not capable of doing TLS will not be able to connect to the site.

The protection only applies after a user has visited the site at least once, relying on the principle of "trust on first use". The way this protection works is that a user entering or selecting a URL to the site that specifies HTTP, will automatically upgrade to HTTPS, without making an HTTP request, which prevents the HTTP man-in-the-middle attack from occurring.

Specification history

The HSTS specification was published as RFC 6797 on 19 November 2012 after being approved on 2 October 2012 by the IESG for publication as a Proposed Standard RFC. The authors originally submitted it as an Internet Draft on 17 June 2010. With the conversion to an Internet Draft, the specification name was altered from "Strict Transport Security" (STS) to "HTTP Strict Transport Security", because the specification applies only to HTTP. The HTTP response header field defined in the HSTS specification however remains named "Strict-Transport-Security".

The last so-called "community version" of the then-named "STS" specification was published on 18 December 2009, with revisions based on community feedback.

The original draft specification by Jeff Hodges from PayPal, Collin Jackson, and Adam Barth was published on 18 September 2009.

The HSTS specification is based on original work by Jackson and Barth as described in their paper "ForceHTTPS: Protecting High-Security Web Sites from Network Attacks".

Additionally, HSTS is the realization of one facet of an overall vision for improving web security, put forward by Jeff Hodges and Andy Steingruebl in their 2010 paper The Need for Coherent Web Security Policy Framework(s).

HSTS mechanism overview

A server implements an HSTS policy by supplying a header over an HTTPS connection (HSTS headers over HTTP are ignored). For example, a server could send a header such that future requests to the domain for the next year (max-age is specified in seconds; 31,536,000 is equal to one non-leap year) use only HTTPS: Strict-Transport-Security: max-age=31536000.

When a web application issues HSTS Policy to user agents, conformant user agents behave as follows (RFC 6797):

  1. Automatically turn any insecure links referencing the web application into secure links (e.g. http://example.com/some/page/ will be modified to https://example.com/some/page/ before accessing the server).
  2. If the security of the connection cannot be ensured (e.g. the server's TLS certificate is not trusted), the user agent must terminate the connection (RFC 6797 section 8.4, Errors in Secure Transport Establishment) and should not allow the user to access the web application (section 12.1, No User Recourse).

The HSTS Policy helps protect web application users against some passive (eavesdropping) and active network attacks. A man-in-the-middle attacker has a greatly reduced ability to intercept requests and responses between a user and a web application server while the user's browser has HSTS Policy in effect for that web application.


The most important security vulnerability that HSTS can fix is SSL-stripping man-in-the-middle attacks, first publicly introduced by Moxie Marlinspike in his 2009 BlackHat Federal talk "New Tricks For Defeating SSL In Practice". The SSL (and TLS) stripping attack works by transparently converting a secure HTTPS connection into a plain HTTP connection. The user can see that the connection is insecure, but crucially there is no way of knowing whether the connection should be secure. At the time of Marlinspike's talk, many websites did not use TLS/SSL, therefore there was no way of knowing (without prior knowledge) whether the use of plain HTTP was due to an attack, or simply because the website had not implemented TLS/SSL. Additionally, no warnings are presented to the user during the downgrade process, making the attack fairly subtle to all but the most vigilant. Marlinspike's sslstrip tool fully automates the attack.[citation needed]

HSTS addresses this problem by informing the browser that connections to the site should always use TLS/SSL. The HSTS header can be stripped by the attacker if this is the user's first visit. Google Chrome, Mozilla Firefox, Internet Explorer, and Microsoft Edge attempt to limit this problem by including a "pre-loaded" list of HSTS sites. Unfortunately this solution cannot scale to include all websites on the internet. See limitations, below.

HSTS can also help to prevent having one's cookie-based website login credentials stolen by widely available tools such as Firesheep.

Because HSTS is time limited, it is sensitive to attacks involving shifting the victim's computer time e.g. using false NTP packets.


The initial request remains unprotected from active attacks if it uses an insecure protocol such as plain HTTP or if the URI for the initial request was obtained over an insecure channel. The same applies to the first request after the activity period specified in the advertised HSTS Policy max-age (sites should set a period of several days or months depending on user activity and behavior). Google Chrome, Mozilla Firefox, and Internet Explorer/Microsoft Edge address this limitation by implementing a "HSTS preloaded list", which is a list that contains known sites supporting HSTS. This list is distributed with the browser so that it uses HTTPS for the initial request to the listed sites as well. As previously mentioned, these pre-loaded lists cannot scale to cover the entire Web. A potential solution might be achieved by using DNS records to declare HSTS Policy, and accessing them securely via DNSSEC, optionally with certificate fingerprints to ensure validity (which requires running a validating resolver to avoid last mile issues).

Junade Ali has noted that HSTS is ineffective against the use of phony domains; by using DNS-based attacks, it is possible for a man-in-the-middle interceptor to serve traffic from an artificial domain which is not on the HSTS Preload list, this can be made possible by DNS Spoofing Attacks, or simply a domain name that misleadingly resembles the real domain name such as www.example.org instead of www.example.com.

Even with an HSTS preloaded list, HSTS cannot prevent advanced attacks against TLS itself, such as the BEAST or CRIME attacks introduced by Juliano Rizzo and Thai Duong. Attacks against TLS itself are orthogonal to HSTS policy enforcement. Neither can it protect against attacks on the server - if someone compromises it, it will happily serve any content over TLS.

See RFC 6797 for a discussion of overall HSTS security considerations.

Privacy issues

HSTS can be used to near-indelibly tag visiting browsers with recoverable identifying data (supercookies) which can persist in and out of browser "incognito" privacy modes. By creating a web page that makes multiple HTTP requests to selected domains, for example, if twenty browser requests to twenty different domains are used, theoretically over one million visitors can be distinguished (220) due to the resulting requests arriving via HTTP vs. HTTPS; the latter being the previously recorded binary "bits" established earlier via HSTS headers.

Browser support

Settings page Security within Chromium 45, showing the status of the security policy for the domain "en.wikipedia.org".
Settings page for HTTPS Strict Transport Security within Chromium 45, showing the status of the security policy for the domain "en.wikipedia.org".

Deployment best practices

Depending on the actual deployment there are certain threats (e.g. cookie injection attacks) that can be avoided by following best practices.

  • HSTS hosts should declare HSTS policy at their top-level domain name. For example, an HSTS host at https://sub.example.com should also answer with the HSTS header at https://example.com. The header should specify the includeSubDomains directive.
  • In addition to HSTS deployment, a host for https://www.example.com should include a request to a resource from https://example.com to make sure that HSTS for the parent domain is set and protects the user from potential cookie injection attacks performed by a MITM that would inject a reference to the parent domain (or even http://nonexistentpeer.example.com), which the attacker then would answer.

See also

Featured content

Extended content

Featured articles

Good articles

Good topics

  • Norid

Featured pictures

Featured portals


Related portals

Things you can do

Things you can do
Things you can do

Associated Wikimedia

The following Wikimedia Foundation sister projects provide more on this subject:

Wikipedia's portals

Discover Wikipedia using portals

This page was last updated at 2023-08-24 13:19 UTC. Update now. View original page.

All our content comes from Wikipedia and under the Creative Commons Attribution-ShareAlike License.


If mathematical, chemical, physical and other formulas are not displayed correctly on this page, please useFirefox or Safari