Tuesday, 17 February 2015

Microsoft Gives Details On HSTS Security In IE

Last month it was announced that Microsoft finally HTTP Strict Transport Security (HSTS) is added to Internet Explorer, which users must protect against man-in-the-middle attacks. Now the software giant has more details given about the security measure.

HSTS allows websites visited to visit over HTTPS only over HTTPS, even though HTTP is introduced into the address bar.The browser in this case captures the user's command and turns off automatically in HTTPS. Thus, no information is transmitted over unsecured HTTP there. HSTS websites offers two options to secure their connections with visitors.

The first option is to register the website on a table loaded by Internet Explorer and other browsers with HTTP traffic directly to HTTPS is put through. This makes IE using the Chromium HSTS list. Chromium is the open source browser on which Google Chrome is based. The second option is to offer a HSTS header. In this case, the browser after having visited the site for the first time over HTTPS, all future HTTP connections run over HTTPS.

Microsoft warns that HSTS can have two important effects on users. If there namely a certificate warning is displayed, the user can not ignore and must disconnect. Additionally supported by HSTS sites no mixed content. All content should be delivered over HTTPS. This can be a problem for websites where for example ads and images are loaded over HTTP. The HSTS-feature is already testing the Windows 10 Technical Preview and will later be added to the Project Spartan browser of the new OS.

No comments:

Post a Comment