HTTP Strict Transport Security (HSTS) is the new security standard for websites. PayPal is one website that is using this standard for their HTTPS site.

So you might think, what’s the difference between HTTPS and HSTS? HSTS is not a replacement for HTTPS, but rather an add-on. Without HSTS it is possible for a Man-In-The-Middle (MITM) attack. Why do you care? Imagine you sit in at a local Starbucks slurping your coffee or machiato, have your laptop open and connected to a wifi-spot. What you don’t know is that the wifi-spot is actually someone else’s laptop hijacking your connection to the internet. Before anything gets processed, your request to the internet will get redirected to him, the response will be capture by him and then send to you. Imagine you sending a letter in an envelope and the mail man will always read the letter before giving it to the recipient and the same way back. This is dangerous especially for bank transactions you might want to do while you are in a public wifi-spot.

HSTS will take care of this, since it requires an encrypted connection directly to the server. If this is not happening, either the connection to the server will be cut off, or the connection will be forced to be encrypted. Either way, you are safe!

This feature is new and only started to be available in FF 4+. As of this post, I’m not sure if IE is supporting this feature or in what version this will be available. Just another reason to update your browser to the latest versions. Besides the support of HTML 5! More on HTML 5 soon..

Reade more on HSTS on Wikipedia: http://en.wikipedia.org/wiki/Strict_Transport_Security