Slashdot Mirror

← Back to Stories (view on slashdot.org)

Internet Explorer 11 Gains HTTP Strict Transport Security In Windows 7 and 8.1

Posted by Soulskill on from the teaching-an-old-dog-new-tricks dept.

Mark Wilson writes: Anyone using the Windows 10 preview has had a chance to use the HTTP Strict Transport Security (HSTS) in Microsoft Edge, and today the security feature comes to Internet Explorer 11 in Windows 7 and Windows 8.1. This security protocol protects against man-in-the-middle attacks and is being delivered to users of older version of Windows through an update in the form of KB 3058515.

5 of 56 comments (clear)

  1. Re:I can hardly wait! by TechyImmigrant · · Score: 1, Informative

    What makes you think Firefox is safe from MITM attacks?

    --
    I should use this sig to advertise my book ISBN-13 : 978-1501515132.
  2. other options by Anonymous Coward · · Score: 4, Informative

    looks like internet explorer is behind

    From wikipedia:
    Browser support[edit]
    Chromium and Google Chrome since version 4.0.211.0[28][29]
    Firefox since version 4;[30] with Firefox 17, Mozilla integrates a list of websites supporting HSTS.[20]
    Opera since version 12[31]
    Safari as of OS X Mavericks[32]
    Internet Explorer 11 on Windows 8.1 and Windows 7 since June 2015[33]
    Microsoft Edge and Internet Explorer 11 on Windows 10 Technical Preview support HSTS.[34][35]

  3. Re:I can hardly wait! by Opportunist · · Score: 4, Informative

    Funny enough, due to how HSTS works, exactly the security of this connect will NOT be improved.

    For HSTS to work, you need to have visited a page before. Because the server sets a token that tells your browser that in the next X days/months/years, it should connect to this server using https, and https only. This means if you type in http://whateverpage.com/ it will automatically turn it into a https connection and the browser will not allow a connection if something is fishy, e.g. when the certificate is bogus.

    For this to work, though, your browser must already know that the server supports this. So you must have had visited that page at least once.

    For the single time you use IE to download anothther browser, HSTS won't do you any good. But maybe you find comfort in the fact that your browser already has supported HSTS for quite a while now (IIRC about 4 years or so...).

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  4. Comment removed by account_deleted · · Score: 4, Informative

    Comment removed based on user account deletion

  5. Scan for malicious files without MitM? by hipsterdufus · · Score: 3, Informative

    While man-in-the-middle SSL connections sound like something everyone should be against, those in the corporate environment rely on using an in-line scanner to check for malicious/virus files going in/out the corporate environment. Those entities need to be able to block/report on where those file originated and their final destination. To do that, they rely on the scanning device being the SSL endpoint in order to decrypt and inspect the content. I would hope that this ability will be configurable via AD policy to allow the corporate MitM certificate to be considered trusted; however, there are an increasing number of sites that have javascript which verifies the SSL connection and checks that there is no MitM SSL occuring. While it sounds safe, it actually HELPS virus/malware authors if browsers block MitM connections to ssl sites.

    An SSL cert is like $5 from Comodo, so if all browsers checked for MitM connections and prevented access, then corporations can't protect their networks from content on an SSL connection and would have to trust all content from the interwebs.

    There are security ramifications to increased security.