February 16th, 2015
As part of our ongoing commitment to help build an interoperable, secure web that “just works,” we’re excited to announce support for HTTP Strict Transport Security (HSTS) in Internet Explorer. This change can be previewed using Internet Explorer in the Windows 10 Technical Preview, and will come to Project Spartan in a later update.
The HSTS policy protects against variants of man-in-the-middle attacks that can strip TLS out of communications with a server, leaving the user vulnerable. For example, a user may initially connect to a non-encrypted version of a website before being redirected to a secure connection. An attacker exploiting the non-encrypted connection could redirect the user to a malicious site. HSTS mitigates this attack vector by allowing sites to specify that the browser should always use a secure connection to the server. HSTS provides two methods for sites to secure their connections:
- Registering for a preload list: websites can register to be hardcoded by IE and other browsers to redirect HTTP traffic to HTTPS. Communications with these websites from the initial connection are automatically upgraded to be secure. Like other browsers which have implemented this feature, Internet Explorer’s preload list is based on the Chromium HSTS preload list.
- Serving a HSTS header: Sites not on the preload list can enable HSTS via the Strict-Transport-Security HTTP header. After an initial HTTPS connection from the client containing the HSTS header, any subsequent HTTP connections are redirected by the browser to be secured via HTTPS.
There are two important changes that impact users on sites using HSTS. First, when there is a certification error with a HSTS server, the user will not be able to click through and ignore the certificate error; they must abort their connection. Second, mixed content is not supported on servers supporting HSTS; all the content must be secure.
These changes are available for preview in the January updates to the Windows 10 Technical Preview. Join the Windows Insider Program to see HSTS in action in IE and let us know if you have feedback @IEDevChat or on Connect.
— Mike Bell, Program Manager, Storage, Network, and Print
— David Walp, Program Manager, Internet Explorer