Microsoft: FINE, we'll help your web sessions be secure, SHEESH

Patch Tuesday adds support for HTTPS Strict Transport Security (like everyone else)

Web browsers 2015

Microsoft has updated both Internet Explorer and its new Edge web browser to make it easier for sites to encourage visitors to use secure HTTPS encryption.

As part of this month's Patch Tuesday batch of security updates, the software giant has added support for HTTP Strict Transport Security (HSTS) to its browsers. Sites can use HSTS to intercept visitors who access their pages via HTTP and nudge them over to HTTPS.

HSTS policies can also help to prevent some forms of man-in-the-middle attacks that can bump browsers out of secure communications mode unwittingly.

Chrome, Firefox, Opera, and Safari all already support HSTS, but Redmond is only now getting around to implementing it. It offered its first trial support for the tech in the version of Internet Explorer 11 that shipped with the Windows 10 Technical Preview in February.

With Tuesday's updates, HSTS support is now available in Internet Explorer 11 running on Windows 7, Windows 8.1, and Windows 10, in addition to the preview of Edge that ships with current Windows 10 builds.

Site admins can tell HSTS-enabled browsers to redirect site visitors to HTTPS in two ways. The first is to have their sites explicitly send the Strict-Transport-Security header to trigger HSTS. The second is to opt in to an HSTS preload list. According to a blog post by Microsoft Edge program manager Kyle Pflug, Microsoft bases its preload list on the list compiled by Google's Chromium Project.

There are some differences in how Redmond's browsers behave, however, particularly with regard to pages that contain a mix of secure and insecure content. While Edge will always block such mixed content, IE11 will prompt the user to proceed.

Microsoft's move is only the latest in an industry-wide push to make secure browsing the default. In May, Mozilla said that it will block sites from accessing certain new features of its Firefox browser if they don't connect via HTTPS.

IE11 will likely be the last Microsoft browser produced for Windows 8.1 or earlier. Beginning on January 12, 2016, only the most current version of IE that's available for a given version of Windows will be supported. And while Microsoft is running full steam ahead to develop Edge as the preferred browser for Windows 10, it has given no signs that it plans to backport it to older versions of the OS. ®

Sponsored: Becoming a Pragmatic Security Leader




Biting the hand that feeds IT © 1998–2019