Hello, Andy Steingruebl here.
I'm pleased to announce that PayPal is the first major internet site to implement the draft Strict-Transport-Security standard. As of Friday November 6th, 2009 PayPal is supporting the Strict-Transport-Security (STS) mode on our main website, https://www.paypal.com.
As we published back in September when we released the jointly developed spec, STS allows a site to override a web browser's normal protocol preference for HTTP, and instead tells the web browser to convert all attempts to access a given site to use HTTPS. The draft spec is here.
A few small caveats.
- Right now we're just supporting this on https://www.paypal.com, not any of our other sites.
- We've launched with a very small max-age parameter for testing purposes. We expect that after more extensive testing we will deploy with a much larger max-age value to provide more robust protection for users.
- This feature is currently supported in the NoScript and ForceTLS extensions for Firefox, and Chrome-4 (currently in beta). We expect other browsers to add the feature in the future.