Microsoft has revealed today that as part of the company's ongoing mission to provide an interoperable and secure web that "just works," Internet Explorer on Windows 10 and Project Spartan will both support HTTP Strict Transport Security (HSTS). Here is what Microsoft had to say:
"As part of our ongoing commitment to help build an interoperable, secure web that “just works,” we're excited to announce support for HTTP Strict Transport Security (HSTS) in Internet Explorer. This change can be previewed using Internet Explorer in the Windows 10 Technical Preview, and will come to Project Spartan in a later update," Microsoft stated in an official blog post today.
So what is HSTS and what does it do? The HSTS policy protects users against variants of "man-in-the-middle" attacks that can strip TLS out of communications with a server, leaving the user vulnerable.
"For example, a user may initially connect to a non-encrypted version of a website before being redirected to a secure connection. An attacker exploiting the non-encrypted connection could redirect the user to a malicious site. HSTS mitigates this attack vector by allowing sites to specify that the browser should always use a secure connection to the server," Microsoft explains.
HSTS provides two methods for sites to secure their connections:
- Registering for a preload list: websites can register to be hardcoded by IE and other browsers to redirect HTTP traffic to HTTPS.
- Serving a HSTS header: Sites not on the preload list can enable HSTS via the Strict-Transport-Security HTTP header.
Now, when a certification error occurs with a HSTS server, the user will not be able to proceed -- rather they must abort the connection. All content must be secure and mixed content is not supported on servers supporting HSTS.
As of right now, these improvements are present in the January updates to the Windows 10 Technical Preview. Microsoft plans to make this security feature available to Project Spartan at a later date.