Internet Explorer 11 Gains HTTP Strict Transport Security In Windows 7 and 8.1

Mark Wilson writes: Anyone using the Windows 10 preview has had a chance to use the HTTP Strict Transport Security (HSTS) in Microsoft Edge, and today the security feature comes to Internet Explorer 11 in Windows 7 and Windows 8.1. This security protocol protects against man-in-the-middle attacks and is being delivered to users of older version of Windows through an update in the form of KB 3058515.

Security

[Dunbal]

You'll be safe. Trust Microsoft. They know about security. When they promise it, they promise it.

Re:Security

[Whiteox]

Phew! I was getting worried after reading their new EULAs. Thankfully you've assuaged my fears.

Re:Security

Why does /. even bother posting Microsoft stories? It just brings out the cynical doomsayers who still live like it's 1995.

Funny how after all that fear-mongering it ended up being Apple who is dominating personal computing with drab gray/black/white computers, tablets and phones where everybody has the same in a 1984-style.

Re:Security

[Opportunist]

Oh for fuck's sake, at least read up on HSTS before you reach for the knee-jerk reaction to karma whore.

Li'l hint: Karma whoring only works by saying what you think the groupthink will agree with if you manage to not look like a complete moron in the process. Like, say, by showing off that you know exactly zero about the topic at hand.

A more sensible Karma whoring on the topic would be "Oh great, MS finally woke up and implemented what everyone else already had at the very least a year ago. And that qualifies as news on Slashdot these days, when MS implements something everyone else already has?". There you have MS bashing and /. bashing rolled into a single posting. Guaranteed to give you more up-mods than you could ever need.

Re:Security

[CaptainDork]

Is up mods a goal?

Re:Security

space grey / silver / gold, thank you very much!

Re:Security

[__aaclcg7560]

Funny how after all that fear-mongering it ended up being Apple who is dominating personal computing with drab gray/black/white computers, tablets and phones where everybody has the same in a 1984-style.

The 1980's and 1990's were dominated by PCs that came in one color and one color only: beige. If you don't like the current monochromatic regime, visit an Apple Store to see the new color scheme of gold, silver and space gray.

Re:Security

[mitcheli]

Why does /. even bother posting Microsoft stories? It just brings out the cynical doomsayers who still live like it's 1995.

As a Microsoft Doomsayer, I'm not immune from jumping on this article to predict the future of how new zero day's will result in the mass pwning of Grandma's computers everywhere. That being said, I'm not blind to the fact that Apple is gaining an increased market share and that as time goes on, they will become an increasingly targeted platform as the profitability (be it in information or money) increases. Microsoft does have what appears to be a more responsive patch process than Apple. Apple is very slow at responding to reported exploits (albeit, Microsoft has been known to half-ass patch and to sit on patches as well). In any case, my biggest issue with this report is I'm curious how much community involvement Microsoft had with the development of this new protocol. In the past, they just create crap in-house without the involvement of industry partners (sometimes even closing them out of those conversations). The problem with this is there is less industry oversight on potential weaknesses and less input on modifications that can strengthen the underlying protocol. Protocols in particular are not something that needs to be developed by a small team of engineers without support of the industry as a whole, less you get protocols like SMTP (who's author is on record of apologizing profusely for not building in security). So, as a Microsoft doomsayer, I shall sit back and wait with my "I told you so" in my back pocket. In the meantime, IE/Edge/whatever the hell they want to call it can stay off my computer thank you very much.

Re:Security

[sasparillascott]

You're totally right AC. Microsoft is definitely someone consumers can trust with their security:

http://www.theguardian.com/world/2013/jul/11/microsoft-nsa-collaboration-user-data

I can hardly wait!

[timrod]

I, for one, welcome this change to Internet Explorer. Now, I can know I am truly safe from man-in-the-middle attacks the next time I load a fresh Windows install and open IE10 so I can download Firefox.

Re:I can hardly wait!

[timrod]

IE11. I was going to say IE11.

Re:I can hardly wait!

[TechyImmigrant]

What makes you think Firefox is safe from MITM attacks?

Re:I can hardly wait!

[pushing-robot]

To be fair, a web browser download would be a great opportunity for a MITM attack.

Re:I can hardly wait!

To be fair, a web browser download would be a great opportunity for a MITM attack.

You devious little creature. You're a bad boy.

Re:I can hardly wait!

If you're going to troll, make the effort to do it right.

Re:I can hardly wait!

[Opportunist]

Funny enough, due to how HSTS works, exactly the security of this connect will NOT be improved.

For HSTS to work, you need to have visited a page before. Because the server sets a token that tells your browser that in the next X days/months/years, it should connect to this server using https, and https only. This means if you type in http://whateverpage.com/ it will automatically turn it into a https connection and the browser will not allow a connection if something is fishy, e.g. when the certificate is bogus.

For this to work, though, your browser must already know that the server supports this. So you must have had visited that page at least once.

For the single time you use IE to download anothther browser, HSTS won't do you any good. But maybe you find comfort in the fact that your browser already has supported HSTS for quite a while now (IIRC about 4 years or so...).

Re:I can hardly wait!

[Opportunist]

Possibly that they have had HSTS support for about 4 years now...

It ain't foolproof, though, and with MS not supporting it 'til now it wasn't really that widely used (the server has to support it to work).

Re:I can hardly wait!

[Antique+Geekmeister]

Install CygWin and use wget, instead. The CygWin installer fits easily on a USB stick.

Re:I can hardly wait!

[thegarbz]

Browsers (at least Chrome and FireFox) also have a handful of sites "whitelisted" by HSTS so that they will only connect EVER with SSL; facebook, google, etc...

I'm sure that courtesy does not extend to https://www.getfirefox.com/

Re:I can hardly wait!

[rtb61]

Perhaps M$ was hoping to be the MITM with it's OS and thus HSTS was not in it's interests but with Android and OS X making deep inroads into internet communications, being the MITM became unrealistic. So if M$ can't play no one else should be able to. Of course corrupt ISPs seem destined to seek MITM roles in order to inflate profits for as long as they can get away with it. ISPs can always try to force the installation of specific MITM software in order to use their network, this until such time as specific legislation prohibits that attempt and of course how far that legislation extends to other players including the Android and Apple marketplace.

Re:I can hardly wait!

[blavallee]

You forgot a step. ..load a fresh Windows install, open IE, deal with the security settings for your profile, then download Firefox.

That's why I load a fresh Windows install, open the command prompt, FTP to ftp.mozilla.org, and download Firefox.

Re:I can hardly wait!

[cbhacking]

On the one hand, you're kind of wrong; any site that wants to can opt into the HSTS preload list, and IE uses the same preload list that both Chrome, Safari, and Firefox use. The preload list, by the way, is not a "whitelist" in the usual sense; it simply has the effect of there having been a "zeroth visit" before the first visit, so the first visit is safe. After that, the site behaves as normal.

On the other hand, it is true that getfirefox.com doesn't support HSTS at all (much less appear in the preload list, which would reject it anyhow for failing to have the response header present). Worse, though, mozilla.org doesn't seem to support it! At least, the Chrome dev tools don't list the Strict-Transport-Security header in responses from the site. That is a bizarre (and, frankly, unwise) omission.

Re:I can hardly wait!

[thegarbz]

I'm actually not that surprised. Supporting HSTS is a pre-requisite for getting and A+ rating on things like SSLLabs, and when we look at the kind of results that have come through that site and how well SSL in general has been managed then everyone should be shedding tears.

Your first reaction may be "no excuse" but there is a gotchya here, if sites that provide downloads to browsers need to support SSL then they also need to cater for the lowest common denominator, so IE6 based on the list of Windows XP machines still in the wild. That opens up a whole world of insecure ciphers from what I recall. But in general I don't expect these sites to have the latest and greatest world class security.

Re:I can hardly wait!

[Bacon+Bits]

Cygwin is the worst answer to pretty much any issue on Windows ever. Forcing a POSIX environment onto the Windows environment to do basic tasks is why Linux admins are so shit at administering Windows. Just learn the damn system you're using.

If you need to have a script saved, just use PowerShell:

Invoke-WebRequest -Uri 'ftp://ftp.mozilla.org/pub/firefox/releases/38.0.5/win32/en-US/Firefox Setup 38.0.5.exe' -OutFile 'C:\Firefox Setup 38.0.5.exe'

If you really want you can parse the output from http://download.cdn.mozilla.ne..., but that seems like a huge waste of time. Just fetch a reasonably recent version and plan to update twice.

Otherwise, just use ftp.exe.

Re:I can hardly wait!

[Opportunist]

It hurts the head to read such a load of baloney.

But let's imagine MS was out to MITM everyone. Just for kicks. How would HSTS affect that? They run the show on most desktop PCs. If they WANT to listen to communication it's trivial to them. When you essentially control the WHOLE FRIGGIN' SYSTEM why bother trying to bug the browser? Especially if it's trivial for the user to replace this part while it's near impossible for them to replace the whole underlying OS, let alone do a complete security audit of it.

What the fuck should HSTS change in this?

I really don't mind people hating MS. Or Apple. Or Google for that matter. But mixing in some harebrained conspiracy theories bordering on insanity into it doesn't really help the case. Especially not if anyone with at least a HINT of knowledge in the relevant field can debunk your muddleheaded rambling for what it is.

Re:I can hardly wait!

[rtb61]

As the supplier, you can only ever do what your customers allow you to do. Deny history all you want, M$ has a terrible track record http://en.wikipedia.org/wiki/C....

Re:I can hardly wait!

[Opportunist]

I'm halfway certain that MS won't whitelist the servers of its competitors. Then again, considering that whitelisting doesn't accomplish anything but forcing the browser to use HTTPS and the distinct possibility that some ancient and not updated boxes running Windows might not be able to handle the encryption provided (with RC4 pretty much being the black sheep now and anything before TLS being insecure by design), MS just might whitelist them knowing that an outdated version of Windows is maybe not capable of handling a HTTPS connection to them.

Would be funny to check. Then again, if there are still people insane enough to connect an out-of-the-box, pre-SP, version of Vista to the net, HSTS and HTTPS enforcing is their least concern.

Re:I can hardly wait!

[Opportunist]

That's pretty odd considering Firefox was one of the first browsers to support HSTS.

Re:I can hardly wait!

[Opportunist]

Hen and egg.

At one hand of course getting a browser should be done on a secure connection considering the amount of personal data entrusted to this program (and the program by design having to be able to access that data). On the other hand, getting it with an outdated browser might not allow for tight security. The bare minimum today is pretty much TLS 1.1, which is by some years younger than XP and was released after IE 6 met its EOL. RC4 is "outlawed" as a cipher in TLS now, which makes it kinda difficult for fresh XP installations to find cipher or protocol to communicate on.

Then again, when you use XP on the internet today, security is very obviously none of your concerns.

Re:I can hardly wait!

[Opportunist]

MS doesn't give half a shit about its customers. Twice so for consumer customers. No question about that.

But seriously, if they WANT to spy on you, they CAN. No need to fuck around on the network traffic when you control EVERYTHING on the machine.

Trust

Do they really think they can protect against man in the middle? Once your shit leaves the door, who really knows what happens to it?
Given the news lately, it seems we can make some reasonable predictions where this is going.

No thanks.

Re:Trust

[mellon]

Yes, they really think they can protect against an MiTM attack. Of course it's possible that the NSA in cahoots with the aliens has a quantum computer that can MiTM any SSL connection, but even if they do, it's probably sufficiently expensive that they won't do it for every connection, but just for high-value connections. And if not, we're pretty fucked, because a big chunk of the world economy at this point depends on the notion that it is not trivially easy to MiTM SSL connections.

other options

looks like internet explorer is behind

From wikipedia:
Browser support[edit]
Chromium and Google Chrome since version 4.0.211.0[28][29]
Firefox since version 4;[30] with Firefox 17, Mozilla integrates a list of websites supporting HSTS.[20]
Opera since version 12[31]
Safari as of OS X Mavericks[32]
Internet Explorer 11 on Windows 8.1 and Windows 7 since June 2015[33]
Microsoft Edge and Internet Explorer 11 on Windows 10 Technical Preview support HSTS.[34][35]

Re:other options

[mellon]

Yup. I installed HSTS on my web site last week, and it worked a treat with both Chrome and Safari. I have to admit that I didn't test MSIE, due to a fundamental lack of Windows on my home network.

Re:other options

[ron_ivi]

I have to admit that I didn't test MSIE, due to a fundamental lack of Windows on my home network.

SSL Labs has a website will test HSTS on various IE versions for you: https://www.ssllabs.com/ssltes...

About time

Better late than never

Re:You're joking, right?

Sorry, I don't use Microsoft products on the Internet, but thanks anyway.

That's not true. While your browser might not be from MS, I suspect you use quite a few IIS hosted sites.

trollin', trollin', trollin'

[turkeydance]

keep them doggies Edgin', IE!

Comment removed

[account_deleted]

Comment removed based on user account deletion

Please support TLS-SRP in IE11 as well

[WaffleMonster]

Dear Microsoft,

Please let us establish secure connections using TLS-SRP in IE11. This would be most helpful. Imagine a world where even people with weak passwords (most everyone) fooled into supplying credentials to a phisher or MITM attacker face no risk for being suckers.

Apache and some of our Intranet applications support TLS-SRP already yet unfortunately usage is currently limited to machine to machine as none of our users have a browser that can negotiate it. This would be a perfect opportunity to get a leg up on your competition and provide an important security features no other browser vendor has yet to deploy.

Re:Please support TLS-SRP in IE11 as well

[cbhacking]

SRP has a number of problems, the most notable being that there's no way to securely *distribute* (or create) the password without falling back to some other TLS suite, or doing it out of band. This really limits the usefulness of SRP in a browser.

Additionally, I'm not sure how browser support for SRP is supposed to make phishing stop working. If the user still needs to enter their password somewhere, then the phishing attack just has to look like wherever they usually enter their password. Yes, an attacker intercepting the network traffic of a legitimate handshake won't be able to extract any useful info about the password (or be able to replay it blindly), but a phishing site that gets users to enter their password and then sends that password back to the (attacker's) server via whatever mechanism it cares to will still work just fine.

On the other hand, there are definitely places that I'd like to see SRP deployed. A key one, which I consider a lot more important than in browsers, would be as a replacement for NTLM hashes (which are antique and terrible) in SMB (Windows networking, Samba, etc.) traffic. It also makes sense for things like remote desktop or ssh (where, at least for password auth, you assume that both sides already know the password so the distribution problem is taken care of). Once you have it in those places, putting it in the browser seems reasonable enough - after all, enterprises do use IE's built-in support for NTLM auth to web servers, which sucks about as much as NTLM for SMB - but I'd put the other areas ahead of the browser.

Re:Please support TLS-SRP in IE11 as well

[WaffleMonster]

SRP has a number of problems, the most

The biggest issues I am aware of is the mostly worthless notion of protecting stored passwords by irreversibly hashing passwords changes.

While stolen SRP verifiers (equivalent of a password hash) can't be used to login to a legitimate system they can like password hashes be used to conduct brute force attacks and they can also be used to trick individuals into thinking they are connecting to a legitimate service. This is equivalent to theft of private key or subversion of CA infrastructure.

The other problem is when PKI is not used with SRP the authenticating identity is transmitted in the clear which may give away information (e.g. a username or alias) to an eavesdropper users may not want disclosed in the clear.

notable being that there's no way to securely *distribute* (or create) the password without falling back to some other TLS suite, or doing it out of band. This really limits the usefulness of SRP in a browser.

Saying that bootstrapping trust is SRPs problem is like saying distributing trusted certificates is PKIs problem.

At some point you need to do work to create trust relationships.. This is fundamentally unavoidable reality the same way people in the real world come to trust or not other individuals based on their experiences.

I do NOT believe SRP is a replacement for PKI. They each have their roles and I believe they can and should be used concurrently. PKI is obviously much better suited for initial service discovery on the Internet. Yet the reality is most sites worth protecting with TLS require a login of some kind. Everyone has a login for their email accounts, their banks and their facebooks... What I find unacceptably dangerous is the world continuing to ignore individual trust relationships to secure sessions... because the alternative is asking hundreds of redundant global trust anchors to be responsible for the security of the worlds systems...a laughably insane delusion.

Additionally, I'm not sure how browser support for SRP is supposed to make phishing stop working. If the user still needs to enter their password somewhere, then the phishing attack just has to look like wherever they usually enter their password.

It becomes tractable to educate users to enter their passwords only into a specific browser menu rather than random attacker forms which appear to be indistinguishable from legitimate counterparts which are constantly subject to change, redesign and often contain baseless security assertions (such as fake padlock imagery and baselessly reassuring text)

On the other hand, there are definitely places that I'd like to see SRP deployed. A key one, which I consider a lot more important than in browsers, would be as a replacement for NTLM hashes

NTLMV2 and Kerberos Authentication both need to be replaced with a modern secure authentication system however a lot more people login to websites using pre-established usernames and passwords than they do a network file share. Many of them have no training and believe whatever they see on their screens because even legitimate sites spew lies to cover for fundamentally indefensible reality where insecure authentication is tolerated.

Re:You're joking, right?

Sorry, I don't take consider comments from holier-than thou bigots on the Internet, but thanks anyway.

Oh Great

[thegarbz]

Oh great, MS finally woke up and implemented what everyone else already had at the very least a year ago.
Also how low has Slashdot fallen that we now qualify MS getting something that everyone else already has as "news"?

Re:Oh Great

[Opportunist]

I couldn't have said it better. Oh if only I had modpoints...

Re:Oh Great

[thegarbz]

Now if only +5 funny counted towards karam :-)

Re:Oh Great

[Opportunist]

Oh c'mon, karma whoring on /. is easier than shooting fish in a barrel. All you have to do is twist any discussion towards something anti-MS or anti-government and you'll be modded up to cap.

You should be wary with postings about Apple or some political agenda. Then you should first check which fraction of the groupthink userbase currently has the modpoints. But reading a posting or two above the one you want to reply to should give you the necessary information.

Re:Oh Great

[thegarbz]

It used to be even easier than that. For a while you could say what you wanted and as long as you signed it off with Fuck Beta you got modded up. Ahhh the bad old days :-)

Update for IE6

[ArhcAngel]

Did Microsoft happen to mention when the KB would be rolled out for IE6?

Re:Update for IE6

[cbhacking]

Well, MS isn't always the fastest on rolling out security features. Somebody else may need to lead the way. If the Mozilla foundation releases HSTS for Firefox 1.0, it might be possible to persuade MS to do the same for their similarly-aged browser...

Re:Update for IE6

IE6 shouldn't get anything. It needs to DIAF.

Re:Update for IE6

Even the AC trolls can't tell when being trolled. /. is well and truly ded.

Scan for malicious files without MitM?

[hipsterdufus]

While man-in-the-middle SSL connections sound like something everyone should be against, those in the corporate environment rely on using an in-line scanner to check for malicious/virus files going in/out the corporate environment. Those entities need to be able to block/report on where those file originated and their final destination. To do that, they rely on the scanning device being the SSL endpoint in order to decrypt and inspect the content. I would hope that this ability will be configurable via AD policy to allow the corporate MitM certificate to be considered trusted; however, there are an increasing number of sites that have javascript which verifies the SSL connection and checks that there is no MitM SSL occuring. While it sounds safe, it actually HELPS virus/malware authors if browsers block MitM connections to ssl sites.

An SSL cert is like $5 from Comodo, so if all browsers checked for MitM connections and prevented access, then corporations can't protect their networks from content on an SSL connection and would have to trust all content from the interwebs.

There are security ramifications to increased security.

Comment removed

[account_deleted]

Comment removed based on user account deletion