Microsoft adds HTTP Strict Transport Security support to Internet Explorer

17.02.2015
Starting with Windows 10, Internet Explorer will allow users to access some websites only over SSL-encrypted connections, if those websites have opted into a new security mechanism.

Users can test the new feature, known as HTTP Strict Transport Security (HSTS) in Internet Explorer on Windows 10 Technical Preview. In the future, it will also be added to the Project Spartan browser, said Microsoft program managers Mike Bell and David Walp in a blog post.

HSTS is a standard defined by the Internet Engineering Task Force in RFC6797. It was designed to prevent SSL stripping attacks, where hackers in a position to intercept a user's traffic can downgrade connections from HTTPS (HTTP and SSL encryption) to plain HTTP.

Such attacks are simple to pull off: A man-in-the-middle attacker intercepts a victim's request to an HTTPS-enabled site and blocks it. He then goes ahead and establishes an HTTPS connection with the site himself, on the victim's behalf, and then serves the response back to the user over HTTP.

At this point the site has no idea that something is amiss because on its side it sees an encrypted connection from a user, who is actually the hacker acting as a proxy. The victim will no longer see the HTTPS indicators in his browser's address bar, like the lock icon, but since most users never look for them a second time, an attacker can let one request go through and then downgrade the connection.

HSTS addresses SSL stripping attacks by allowing websites to instruct browsers that they should always connect to them over HTTPS. Websites can express this policy through a Strict-Transport-Security HTTP header sent in a response. Once a browser sees such a header for a website, it will remember the preference and only accept HTTPS connections for that site in the future.

Internet Explorer is actually the last major browser to get support for HSTS and even now it's not for all versions. Google Chrome has had HSTS support since 2009, Firefox since 2010, Opera since 2012 and Safari since 2013.

Like Chrome and most other browsers, IE will come preloaded with a list of popular websites for which the HSTS policy will be enforced by default. Such lists are necessary, because even with HSTS there's still a small window for SSL stripping attacks: the first ever request from the browser to a new website. In order to learn about a site's HSTS policy through a response header, a browser needs to first connect to that site. However, if an attacker is already in a position to intercept traffic he can strip the Strict-Transport-Security header from the site's response and the browser will never know.

Internet Explorer will use the same HSTS preload list used by the Chromium open source browser, Bell and Walp said, adding that websites can register to be included on this list.

The new security mechanism might impact the user experience on sites that opt into it. In certain situations, IE allows users to click through some certificate errors and continue to open a website. If such errors happen for an HSTS website, users will no longer be able to dismiss them and the connection will be refused.

Also, some sites that use HTTPS might load content from third-party servers over plain HTTP. This is known as mixed content and while it's a discouraged practice from a security standpoint, it's accepted by browsers. With HSTS enabled, mixed content will no longer be allowed.

Lucian Constantin

Zur Startseite