Internet Explorer 11 Gains HTTP Strict Transport Security In Windows 7 and 8.1

Mark Wilson writes: Anyone using the Windows 10 preview has had a chance to use the HTTP Strict Transport Security (HSTS) in Microsoft Edge, and today the security feature comes to Internet Explorer 11 in Windows 7 and Windows 8.1. This security protocol protects against man-in-the-middle attacks and is being delivered to users of older version of Windows through an update in the form of KB 3058515.

Re:I can hardly wait!

[pushing-robot]

To be fair, a web browser download would be a great opportunity for a MITM attack.

Re:I can hardly wait!

[Opportunist]

Possibly that they have had HSTS support for about 4 years now...

It ain't foolproof, though, and with MS not supporting it 'til now it wasn't really that widely used (the server has to support it to work).

Re:I can hardly wait!

[cbhacking]

On the one hand, you're kind of wrong; any site that wants to can opt into the HSTS preload list, and IE uses the same preload list that both Chrome, Safari, and Firefox use. The preload list, by the way, is not a "whitelist" in the usual sense; it simply has the effect of there having been a "zeroth visit" before the first visit, so the first visit is safe. After that, the site behaves as normal.

On the other hand, it is true that getfirefox.com doesn't support HSTS at all (much less appear in the preload list, which would reject it anyhow for failing to have the response header present). Worse, though, mozilla.org doesn't seem to support it! At least, the Chrome dev tools don't list the Strict-Transport-Security header in responses from the site. That is a bizarre (and, frankly, unwise) omission.

Re:Security

[mitcheli]

Why does /. even bother posting Microsoft stories? It just brings out the cynical doomsayers who still live like it's 1995.

As a Microsoft Doomsayer, I'm not immune from jumping on this article to predict the future of how new zero day's will result in the mass pwning of Grandma's computers everywhere. That being said, I'm not blind to the fact that Apple is gaining an increased market share and that as time goes on, they will become an increasingly targeted platform as the profitability (be it in information or money) increases. Microsoft does have what appears to be a more responsive patch process than Apple. Apple is very slow at responding to reported exploits (albeit, Microsoft has been known to half-ass patch and to sit on patches as well). In any case, my biggest issue with this report is I'm curious how much community involvement Microsoft had with the development of this new protocol. In the past, they just create crap in-house without the involvement of industry partners (sometimes even closing them out of those conversations). The problem with this is there is less industry oversight on potential weaknesses and less input on modifications that can strengthen the underlying protocol. Protocols in particular are not something that needs to be developed by a small team of engineers without support of the industry as a whole, less you get protocols like SMTP (who's author is on record of apologizing profusely for not building in security). So, as a Microsoft doomsayer, I shall sit back and wait with my "I told you so" in my back pocket. In the meantime, IE/Edge/whatever the hell they want to call it can stay off my computer thank you very much.