Microsoft adds HTTP Strict Transport Security support to Internet Explorer

Websites will now be able to instruct the browser to always reach them over HTTPS

Starting with Windows 10, Internet Explorer will allow users to access some websites only over SSL-encrypted connections, if those websites have opted into a new security mechanism.

Users can test the new feature, known as HTTP Strict Transport Security (HSTS) in Internet Explorer on Windows 10 Technical Preview. In the future, it will also be added to the Project Spartan browser, said Microsoft program managers Mike Bell and David Walp in a blog post.

HSTS is a standard defined by the Internet Engineering Task Force in RFC6797. It was designed to prevent SSL stripping attacks, where hackers in a position to intercept a user's traffic can downgrade connections from HTTPS (HTTP and SSL encryption) to plain HTTP.

Such attacks are simple to pull off: A man-in-the-middle attacker intercepts a victim's request to an HTTPS-enabled site and blocks it. He then goes ahead and establishes an HTTPS connection with the site himself, on the victim's behalf, and then serves the response back to the user over HTTP.

At this point the site has no idea that something is amiss because on its side it sees an encrypted connection from a user, who is actually the hacker acting as a proxy. The victim will no longer see the HTTPS indicators in his browser's address bar, like the lock icon, but since most users never look for them a second time, an attacker can let one request go through and then downgrade the connection.

HSTS addresses SSL stripping attacks by allowing websites to instruct browsers that they should always connect to them over HTTPS. Websites can express this policy through a Strict-Transport-Security HTTP header sent in a response. Once a browser sees such a header for a website, it will remember the preference and only accept HTTPS connections for that site in the future.

Internet Explorer is actually the last major browser to get support for HSTS and even now it's not for all versions. Google Chrome has had HSTS support since 2009, Firefox since 2010, Opera since 2012 and Safari since 2013.

Like Chrome and most other browsers, IE will come preloaded with a list of popular websites for which the HSTS policy will be enforced by default. Such lists are necessary, because even with HSTS there's still a small window for SSL stripping attacks: the first ever request from the browser to a new website. In order to learn about a site's HSTS policy through a response header, a browser needs to first connect to that site. However, if an attacker is already in a position to intercept traffic he can strip the Strict-Transport-Security header from the site's response and the browser will never know.

Internet Explorer will use the same HSTS preload list used by the Chromium open source browser, Bell and Walp said, adding that websites can register to be included on this list.

The new security mechanism might impact the user experience on sites that opt into it. In certain situations, IE allows users to click through some certificate errors and continue to open a website. If such errors happen for an HSTS website, users will no longer be able to dismiss them and the connection will be refused.

Also, some sites that use HTTPS might load content from third-party servers over plain HTTP. This is known as mixed content and while it's a discouraged practice from a security standpoint, it's accepted by browsers. With HSTS enabled, mixed content will no longer be allowed.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags online safetyMicrosoftsecurityencryption

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Breitling Superocean Heritage Chronographe 44

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?