[WEB SECURITY] Strict-Transport-Security on https://www.paypal.com

[Andy Steingruebl <steingra@xxxxxxxxx>]

http://www.thesecuritypractice.com/the_security_practice/2009/11/announcing-stricttransportsecurity-support-on-wwwpaypalcom.html

I'm pleased to announce that PayPal is the first major internet site
to implement the draft Strict-Transport-Security standard.  As of
Friday November 6th, 2009 PayPal is supporting the
Strict-Transport-Security (STS) mode on our main website,
https://www.paypal.com.

As we published back in September when we released the jointly
developed spec, STS allows a site to override a web browser's normal
protocol preference for HTTP, and instead tells the web browser to
convert all attempts to access a given site to use HTTPS.

A few small caveats.

1. Right now we're just supporting this on https://www.paypal.com, not
any of our other sites.
2. We've launched with a very small max-age parameter for testing
purposes.  We expect that after more extensive testing we will deploy
with a much larger max-age value to provide more robust protection for
users.
3. This feature is currently supported in the NoScript and ForceTLS
extensions for Firefox, and Chrome-4 (currently in beta). We expect
other browsers to add the feature in the future.

--
Andy Steingruebl
steingra@xxxxxxxxx

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA