Not enough websites and Internet browsers utilize the HTTP Strict Transport Security (HSTS) policy to keep Internet users secure, according to the Electronic Frontier Foundation (EFF).
HSTS forces encryption by opening HTTPS sessions instead of just HTTP, so information to and from the website is encrypted. Using HSTS, websites never allow Internet users to interact with an HTTP session, with everything automatically converted.
The EFF believes not enough web developers know about HSTS, while browser support has also only increased slowly but surely. Google Chrome, Mozilla Firefox, and Opera have long-supported HSTS, while Microsoft said it will use the Web standard with Internet Explorer 12.
The EFF blog notes:
"Why is lack of HSTS even an issue? To see what could go wrong, imagine the following common scenario. You're in a coffee shop and you want to check your bank account. You pop open your laptop, connect to the free Wi-Fi, load up your Web browser, and type in your bank's URL. No security alerts pop up when you load the page, and there's even a padlock icon next to the address, so you go ahead and login. Unfortunately, you could very well have just sent your login information to a potential attacker."