Windows 10: HTTP Strict Transport Security comes to Internet Explorer

  1. Brink's Avatar
    Posts : 33,163
    64-bit Windows 10 Pro build 18262
       16 Feb 2015 #1

    HTTP Strict Transport Security comes to Internet Explorer

    As part of our ongoing commitment to help build an interoperable, secure web that “just works,” we're excited to announce support for HTTP Strict Transport Security (HSTS) in Internet Explorer. This change can be previewed using Internet Explorer in the Windows 10 Technical Preview, and will come to Project Spartan in a later update.

    The HSTS policy protects against variants of man-in-the-middle attacks that can strip TLS out of communications with a server, leaving the user vulnerable. For example, a user may initially connect to a non-encrypted version of a website before being redirected to a secure connection. An attacker exploiting the non-encrypted connection could redirect the user to a malicious site. HSTS mitigates this attack vector by allowing sites to specify that the browser should always use a secure connection to the server. HSTS provides two methods for sites to secure their connections:

    • Registering for a preload list: websites can register to be hardcoded by IE and other browsers to redirect HTTP traffic to HTTPS. Communications with these websites from the initial connection are automatically upgraded to be secure. Like other browsers which have implemented this feature, Internet Explorer's preload list is based on the Chromium HSTS preload list.
    • Serving a HSTS header: Sites not on the preload list can enable HSTS via the Strict-Transport-Security HTTP header. After an initial HTTPS connection from the client containing the HSTS header, any subsequent HTTP connections are redirected by the browser to be secured via HTTPS.

    There are two important changes that impact users on sites using HSTS. First, when there is a certification error with a HSTS server, the user will not be able to click through and ignore the certificate error; they must abort their connection. Second, mixed content is not supported on servers supporting HSTS; all the content must be secure.

    These changes are available for preview in the January updates to the Windows 10 Technical Preview. Join the Windows Insider Program to see HSTS in action in IE and let us know if you have feedback @IEDevChat or on Connect.

    — Mike Bell, Program Manager, Storage, Network, and Print
    — David Walp, Program Manager, Internet Explorer
      My ComputersSystem Spec

  2. ThrashZone's Avatar
    Posts : 3,866
    3-Win-7Prox64 2-Win10Prox64
       17 Feb 2015 #1

    That sounds like a mess,
    Most certificate errors are caused by the users clock is off not because of some server hack.
    It would be time for ie11 to realize checking the clock is the first message to produce not the famous security error page.
      My ComputersSystem Spec


Related Threads
What are everyones expectations of Internet Explorer 12, I say new UI.
Source: HTTP Strict Transport Security comes to Internet Explorer 11 on Windows 8.1 and Windows 7
Source: April 2015 security updates for Internet Explorer - IEBlog - Site Home - MSDN Blogs
Today i turned on my pc and the explorer.exe error appeared, i refreshed the screen and the icons appeared , but the start button didn't work , i tried to make troubleshoot but nothing... the worst part is that i can't acces the internet. Is there a...
Source: February 2015 security updates for Internet Explorer - IEBlog - Site Home - MSDN Blogs
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 14:40.
Find Us