Online shop Etsy has deployed two factor authentication, SSL, and has become one of the few sites to deploy HTTP Strict Transport Security (HSTS).
The upgrades, which also included viewable user login data, were pushed out as part of a larger move to bolster security on the popular site.
“We believe that these protections are industry best practice, and we’re excited to offer them proactively to our members on an opt-in basis as a further commitment to account safety,” Etsy security engineers Kyle Barry and Zane Lackey wrote in a post.
The security team experienced a “thrilling explosion” in errors during tests to switch to SSL due to the way its load balancers were used to terminate SSL and decide what pages used HTTPS.
To get the protocol running, the team mopped up hardcoded URLs and ensured all content was SSL aware, and pushed logic from the load balancers into its web server.
They said SSL would eventually be deployed for all users pending additional research into load performance time.
But the implementation of HSTS could be the stand out upgrade. The policy ensured web browsers use HTTPS connections from the first point of contact, eliminating the possibility of man-in-the-middle (MITM) attacks from SSL stripping.
Google engineer Adam Langley pointed out how SSL websites that lack HSTS -- which constituted the majority of sites -- were still placing visitors at risk during his talk in Hope 9:
“The problem is that the page isn't served over HTTPS. It should have been, but when a user types a hostname into a browser, the default scheme is HTTP. The server may attempt to redirect users to HTTPS, but that redirect is insecure: a MITM attacker can rewrite it and keep the user on HTTP, spoofing the real site the whole time. The attacker can now intercept all the traffic to this perfectly well configured and secure website.”
Etsy users who opt into SSL will be served HSTS. The policy will be set to a low timeout value which will be made longer in the future.
It was the latest security upgrade for the online artist hub. Last month, the site opened a bug bounty scheme to reward security researchers for reporting vulnerabilities found on the website. It offered a minimum of $US500 ($A479) for bugs and more for “distinctly creative or severe security bugs”.