Microsoft adds HTTP Strict Transport Security support to Internet Explorer

Websites will now be able to instruct the browser to always reach them over HTTPS

Starting with Windows 10, Internet Explorer will allow users to access some websites only over SSL-encrypted connections, if those websites have opted into a new security mechanism.

Users can test the new feature, known as HTTP Strict Transport Security (HSTS) in Internet Explorer on Windows 10 Technical Preview. In the future, it will also be added to the Project Spartan browser, said Microsoft program managers Mike Bell and David Walp in a blog post.

HSTS is a standard defined by the Internet Engineering Task Force in RFC6797. It was designed to prevent SSL stripping attacks, where hackers in a position to intercept a user's traffic can downgrade connections from HTTPS (HTTP and SSL encryption) to plain HTTP.

Such attacks are simple to pull off: A man-in-the-middle attacker intercepts a victim's request to an HTTPS-enabled site and blocks it. He then goes ahead and establishes an HTTPS connection with the site himself, on the victim's behalf, and then serves the response back to the user over HTTP.

At this point the site has no idea that something is amiss because on its side it sees an encrypted connection from a user, who is actually the hacker acting as a proxy. The victim will no longer see the HTTPS indicators in his browser's address bar, like the lock icon, but since most users never look for them a second time, an attacker can let one request go through and then downgrade the connection.

HSTS addresses SSL stripping attacks by allowing websites to instruct browsers that they should always connect to them over HTTPS. Websites can express this policy through a Strict-Transport-Security HTTP header sent in a response. Once a browser sees such a header for a website, it will remember the preference and only accept HTTPS connections for that site in the future.

Internet Explorer is actually the last major browser to get support for HSTS and even now it's not for all versions. Google Chrome has had HSTS support since 2009, Firefox since 2010, Opera since 2012 and Safari since 2013.

Like Chrome and most other browsers, IE will come preloaded with a list of popular websites for which the HSTS policy will be enforced by default. Such lists are necessary, because even with HSTS there's still a small window for SSL stripping attacks: the first ever request from the browser to a new website. In order to learn about a site's HSTS policy through a response header, a browser needs to first connect to that site. However, if an attacker is already in a position to intercept traffic he can strip the Strict-Transport-Security header from the site's response and the browser will never know.

Internet Explorer will use the same HSTS preload list used by the Chromium open source browser, Bell and Walp said, adding that websites can register to be included on this list.

The new security mechanism might impact the user experience on sites that opt into it. In certain situations, IE allows users to click through some certificate errors and continue to open a website. If such errors happen for an HSTS website, users will no longer be able to dismiss them and the connection will be refused.

Also, some sites that use HTTPS might load content from third-party servers over plain HTTP. This is known as mixed content and while it's a discouraged practice from a security standpoint, it's accepted by browsers. With HSTS enabled, mixed content will no longer be allowed.

Join the CSO newsletter!

Error: Please check your email address.

Tags online safetyMicrosoftsecurityencryption

More about GoogleInternet Engineering Task ForceMicrosoftTransport

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts