Internet Explorer 11 Gains HTTP Strict Transport Security In Windows 7 and 8.1

Mark Wilson writes: Anyone using the Windows 10 preview has had a chance to use the HTTP Strict Transport Security (HSTS) in Microsoft Edge, and today the security feature comes to Internet Explorer 11 in Windows 7 and Windows 8.1. This security protocol protects against man-in-the-middle attacks and is being delivered to users of older version of Windows through an update in the form of KB 3058515.

Security

[Dunbal]

You'll be safe. Trust Microsoft. They know about security. When they promise it, they promise it.

Re:

[Whiteox]

Phew! I was getting worried after reading their new EULAs. Thankfully you've assuaged my fears.

Re:

[Anonymous Coward]

Why does /. even bother posting Microsoft stories? It just brings out the cynical doomsayers who still live like it's 1995.

Funny how after all that fear-mongering it ended up being Apple who is dominating personal computing with drab gray/black/white computers, tablets and phones where everybody has the same in a 1984-style.

Re:

[__aaclcg7560]

Funny how after all that fear-mongering it ended up being Apple who is dominating personal computing with drab gray/black/white computers, tablets and phones where everybody has the same in a 1984-style.

The 1980's and 1990's were dominated by PCs that came in one color and one color only: beige. If you don't like the current monochromatic regime, visit an Apple Store to see the new color scheme [apple.com] of gold, silver and space gray.

Re:Security

[mitcheli]

Why does /. even bother posting Microsoft stories? It just brings out the cynical doomsayers who still live like it's 1995.

As a Microsoft Doomsayer, I'm not immune from jumping on this article to predict the future of how new zero day's will result in the mass pwning of Grandma's computers everywhere. That being said, I'm not blind to the fact that Apple is gaining an increased market share and that as time goes on, they will become an increasingly targeted platform as the profitability (be it in information or money) increases. Microsoft does have what appears to be a more responsive patch process than Apple. Apple is very slow at responding to reported exploits (albeit, Microsoft has been known to half-ass patch and to sit on patches as well). In any case, my biggest issue with this report is I'm curious how much community involvement Microsoft had with the development of this new protocol. In the past, they just create crap in-house without the involvement of industry partners (sometimes even closing them out of those conversations). The problem with this is there is less industry oversight on potential weaknesses and less input on modifications that can strengthen the underlying protocol. Protocols in particular are not something that needs to be developed by a small team of engineers without support of the industry as a whole, less you get protocols like SMTP (who's author is on record of apologizing profusely for not building in security). So, as a Microsoft doomsayer, I shall sit back and wait with my "I told you so" in my back pocket. In the meantime, IE/Edge/whatever the hell they want to call it can stay off my computer thank you very much.

Re:Security

[sasparillascott]

You're totally right AC. Microsoft is definitely someone consumers can trust with their security:

http://www.theguardian.com/world/2013/jul/11/microsoft-nsa-collaboration-user-data [theguardian.com]

Re:Security

[Opportunist]

Oh for fuck's sake, at least read up on HSTS [wikipedia.org] before you reach for the knee-jerk reaction to karma whore.

Li'l hint: Karma whoring only works by saying what you think the groupthink will agree with if you manage to not look like a complete moron in the process. Like, say, by showing off that you know exactly zero about the topic at hand.

A more sensible Karma whoring on the topic would be "Oh great, MS finally woke up and implemented what everyone else already had at the very least a year ago. And that qualifies as news on Slashdot these days, when MS implements something everyone else already has?". There you have MS bashing and /. bashing rolled into a single posting. Guaranteed to give you more up-mods than you could ever need.

Re:

[CaptainDork]

Is up mods a goal?

Oh Great

[thegarbz]

Oh great, MS finally woke up and implemented what everyone else already had at the very least a year ago.
Also how low has Slashdot fallen that we now qualify MS getting something that everyone else already has as "news"?

Re:Oh Great

[Opportunist]

I couldn't have said it better. Oh if only I had modpoints...

Re:

[thegarbz]

Now if only +5 funny counted towards karam :-)

Re:

[Opportunist]

Oh c'mon, karma whoring on /. is easier than shooting fish in a barrel. All you have to do is twist any discussion towards something anti-MS or anti-government and you'll be modded up to cap.

You should be wary with postings about Apple or some political agenda. Then you should first check which fraction of the groupthink userbase currently has the modpoints. But reading a posting or two above the one you want to reply to should give you the necessary information.

Re:

[thegarbz]

It used to be even easier than that. For a while you could say what you wanted and as long as you signed it off with Fuck Beta you got modded up. Ahhh the bad old days :-)

I can hardly wait!

[Joe Gillian]

I, for one, welcome this change to Internet Explorer. Now, I can know I am truly safe from man-in-the-middle attacks the next time I load a fresh Windows install and open IE10 so I can download Firefox.

Re:

[Joe Gillian]

IE11. I was going to say IE11.

Re:

[TechyImmigrant]

What makes you think Firefox is safe from MITM attacks?

Re:I can hardly wait!

[Opportunist]

Possibly that they have had HSTS support for about 4 years now...

It ain't foolproof, though, and with MS not supporting it 'til now it wasn't really that widely used (the server has to support it to work).

Re:

[rtb61]

Perhaps M$ was hoping to be the MITM with it's OS and thus HSTS was not in it's interests but with Android and OS X making deep inroads into internet communications, being the MITM became unrealistic. So if M$ can't play no one else should be able to. Of course corrupt ISPs seem destined to seek MITM roles in order to inflate profits for as long as they can get away with it. ISPs can always try to force the installation of specific MITM software in order to use their network, this until such time as specif

Re:

[Opportunist]

It hurts the head to read such a load of baloney.

But let's imagine MS was out to MITM everyone. Just for kicks. How would HSTS affect that? They run the show on most desktop PCs. If they WANT to listen to communication it's trivial to them. When you essentially control the WHOLE FRIGGIN' SYSTEM why bother trying to bug the browser? Especially if it's trivial for the user to replace this part while it's near impossible for them to replace the whole underlying OS, let alone do a complete security audit of it.

Re:

[rtb61]

As the supplier, you can only ever do what your customers allow you to do. Deny history all you want, M$ has a terrible track record http://en.wikipedia.org/wiki/C... [wikipedia.org].

Re:

[Opportunist]

MS doesn't give half a shit about its customers. Twice so for consumer customers. No question about that.

But seriously, if they WANT to spy on you, they CAN. No need to fuck around on the network traffic when you control EVERYTHING on the machine.

Re:I can hardly wait!

[pushing-robot]

To be fair, a web browser download would be a great opportunity for a MITM attack.

Re:I can hardly wait!

[Opportunist]

Funny enough, due to how HSTS works, exactly the security of this connect will NOT be improved.

For HSTS to work, you need to have visited a page before. Because the server sets a token that tells your browser that in the next X days/months/years, it should connect to this server using https, and https only. This means if you type in http://whateverpage.com/ [whateverpage.com] it will automatically turn it into a https connection and the browser will not allow a connection if something is fishy, e.g. when the certificate is bogus.

For this to work, though, your browser must already know that the server supports this. So you must have had visited that page at least once.

For the single time you use IE to download anothther browser, HSTS won't do you any good. But maybe you find comfort in the fact that your browser already has supported HSTS for quite a while now (IIRC about 4 years or so...).

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[thegarbz]

Browsers (at least Chrome and FireFox) also have a handful of sites "whitelisted" by HSTS so that they will only connect EVER with SSL; facebook, google, etc...

I'm sure that courtesy does not extend to https://www.getfirefox.com/ [getfirefox.com]

Re:I can hardly wait!

[cbhacking]

On the one hand, you're kind of wrong; any site that wants to can opt into the HSTS preload list, and IE uses the same preload list that both Chrome, Safari, and Firefox use. The preload list, by the way, is not a "whitelist" in the usual sense; it simply has the effect of there having been a "zeroth visit" before the first visit, so the first visit is safe. After that, the site behaves as normal.

On the other hand, it is true that getfirefox.com doesn't support HSTS at all (much less appear in the preload list, which would reject it anyhow for failing to have the response header present). Worse, though, mozilla.org doesn't seem to support it! At least, the Chrome dev tools don't list the Strict-Transport-Security header in responses from the site. That is a bizarre (and, frankly, unwise) omission.

Re:

[thegarbz]

I'm actually not that surprised. Supporting HSTS is a pre-requisite for getting and A+ rating on things like SSLLabs, and when we look at the kind of results that have come through that site and how well SSL in general has been managed then everyone should be shedding tears.

Your first reaction may be "no excuse" but there is a gotchya here, if sites that provide downloads to browsers need to support SSL then they also need to cater for the lowest common denominator, so IE6 based on the list of Windows XP ma

Re:

[Opportunist]

Hen and egg.

At one hand of course getting a browser should be done on a secure connection considering the amount of personal data entrusted to this program (and the program by design having to be able to access that data). On the other hand, getting it with an outdated browser might not allow for tight security. The bare minimum today is pretty much TLS 1.1, which is by some years younger than XP and was released after IE 6 met its EOL. RC4 is "outlawed" as a cipher in TLS now, which makes it kinda difficul

Re:

[Opportunist]

That's pretty odd considering Firefox was one of the first browsers to support HSTS.

Re:

[Opportunist]

I'm halfway certain that MS won't whitelist the servers of its competitors. Then again, considering that whitelisting doesn't accomplish anything but forcing the browser to use HTTPS and the distinct possibility that some ancient and not updated boxes running Windows might not be able to handle the encryption provided (with RC4 pretty much being the black sheep now and anything before TLS being insecure by design), MS just might whitelist them knowing that an outdated version of Windows is maybe not capable

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Antique Geekmeister]

Install CygWin and use wget, instead. The CygWin installer fits easily on a USB stick.

Re:

[Bacon Bits]

Cygwin is the worst answer to pretty much any issue on Windows ever. Forcing a POSIX environment onto the Windows environment to do basic tasks is why Linux admins are so shit at administering Windows. Just learn the damn system you're using.

If you need to have a script saved, just use PowerShell:

Invoke-WebRequest -Uri 'ftp://ftp.mozilla.org/pub/firefox/releases/38.0.5/win32/en-US/Firefox Setup 38.0.5.exe' -OutFile 'C:\Firefox Setup 38.0.5.exe'

If you really want you can parse the output from http://downlo [mozilla.net]

Re:

[blavallee]

You forgot a step. ..load a fresh Windows install, open IE, deal with the security settings for your profile, then download Firefox.

That's why I load a fresh Windows install, open the command prompt, FTP to ftp.mozilla.org, and download Firefox.

Re:

[mellon]

Yes, they really think they can protect against an MiTM attack. Of course it's possible that the NSA in cahoots with the aliens has a quantum computer that can MiTM any SSL connection, but even if they do, it's probably sufficiently expensive that they won't do it for every connection, but just for high-value connections. And if not, we're pretty fucked, because a big chunk of the world economy at this point depends on the notion that it is not trivially easy to MiTM SSL connections.

other options

[Anonymous Coward]

looks like internet explorer is behind

From wikipedia:
Browser support[edit]
Chromium and Google Chrome since version 4.0.211.0[28][29]
Firefox since version 4;[30] with Firefox 17, Mozilla integrates a list of websites supporting HSTS.[20]
Opera since version 12[31]
Safari as of OS X Mavericks[32]
Internet Explorer 11 on Windows 8.1 and Windows 7 since June 2015[33]
Microsoft Edge and Internet Explorer 11 on Windows 10 Technical Preview support HSTS.[34][35]

Re:

[mellon]

Yup. I installed HSTS on my web site last week, and it worked a treat with both Chrome and Safari. I have to admit that I didn't test MSIE, due to a fundamental lack of Windows on my home network.

Re:

[ron_ivi]

I have to admit that I didn't test MSIE, due to a fundamental lack of Windows on my home network.

SSL Labs has a website will test HSTS on various IE versions for you: https://www.ssllabs.com/ssltes... [ssllabs.com]

trollin', trollin', trollin'

[turkeydance]

keep them doggies Edgin', IE!

Please support TLS-SRP in IE11 as well

[WaffleMonster]

Dear Microsoft,

Please let us establish secure connections using TLS-SRP in IE11. This would be most helpful. Imagine a world where even people with weak passwords (most everyone) fooled into supplying credentials to a phisher or MITM attacker face no risk for being suckers.

Apache and some of our Intranet applications support TLS-SRP already yet unfortunately usage is currently limited to machine to machine as none of our users have a browser that can negotiate it. This would be a perfect opportunity to

Re:

[cbhacking]

SRP has a number of problems, the most notable being that there's no way to securely *distribute* (or create) the password without falling back to some other TLS suite, or doing it out of band. This really limits the usefulness of SRP in a browser.

Additionally, I'm not sure how browser support for SRP is supposed to make phishing stop working. If the user still needs to enter their password somewhere, then the phishing attack just has to look like wherever they usually enter their password. Yes, an attacker

Re:

[WaffleMonster]

SRP has a number of problems, the most

The biggest issues I am aware of is the mostly worthless notion of protecting stored passwords by irreversibly hashing passwords changes.

While stolen SRP verifiers (equivalent of a password hash) can't be used to login to a legitimate system they can like password hashes be used to conduct brute force attacks and they can also be used to trick individuals into thinking they are connecting to a legitimate service. This is equivalent to theft of private key or subversion of CA infrastructure.

The other proble

Update for IE6

[ArhcAngel]

Did Microsoft happen to mention when the KB would be rolled out for IE6?

Re:

[cbhacking]

Well, MS isn't always the fastest on rolling out security features. Somebody else may need to lead the way. If the Mozilla foundation releases HSTS for Firefox 1.0, it might be possible to persuade MS to do the same for their similarly-aged browser...

Scan for malicious files without MitM?

[hipsterdufus]

While man-in-the-middle SSL connections sound like something everyone should be against, those in the corporate environment rely on using an in-line scanner to check for malicious/virus files going in/out the corporate environment. Those entities need to be able to block/report on where those file originated and their final destination. To do that, they rely on the scanning device being the SSL endpoint in order to decrypt and inspect the content. I would hope that this ability will be configurable via AD policy to allow the corporate MitM certificate to be considered trusted; however, there are an increasing number of sites that have javascript which verifies the SSL connection and checks that there is no MitM SSL occuring. While it sounds safe, it actually HELPS virus/malware authors if browsers block MitM connections to ssl sites.

An SSL cert is like $5 from Comodo, so if all browsers checked for MitM connections and prevented access, then corporations can't protect their networks from content on an SSL connection and would have to trust all content from the interwebs.

There are security ramifications to increased security.