Short for HTTP Strict Transport Security, HSTS is a browser header that forces any sessions sent over HTTP to be sent instead over HTTPS based on a preloaded list of sites supporting the protocol. HSTS encrypts communication to and from a website, and puts a dent in attempts to man-in-the-middle web sessions. According to OWASP, HSTS also stops attackers who use invalid digital certificates. The protocol denies users the ability to override invalid certificate messages. HSTS also protects users from HTTPS websites that also may include HTTP links or serve content unencrypted.
HSTS is already on by default in Internet Explorer 11 available in the Windows 10 Insider Preview and the new Microsoft Edge expected to be available when Windows 10 releases later this year.
“Site developers can use HSTS policies to secure connections by opting in to an HSTS preload list, which registers websites to be hardcoded by Microsoft Edge, Internet Explorer, and other browsers to redirect HTTP traffic to HTTPS,” said Kyle Pflug, program manager with the Microsoft Edge team. “Communications with these websites from the initial connection are automatically upgraded to be secure.”
Microsoft is the last of the major browser vendors to add HSTS support. Google Chrome and Mozilla Firefox have supported HSTS since 2011, while Apple added it to Safari upon the release of version 10.9 of Mavericks.
The move comes on the heels of Microsoft in May bringing Perfect Forward Secrecy to Windows. Forward secrecy has of late been considered an essential security measure, especially for new applications. It ensures that new private keys are negotiated for every web session, meaning that if a key is ever compromised in the future, only that particular session will be at risk. In order to attack each session, each key would have to be attacked separately.
The addition of HSTS was included in a cumulative update for Internet Explorer released yesterday. The security bulletin included patches for two dozen vulnerabilities in the browser, most of which gave hackers the ability to remotely execute code on a compromised computer.
HSTS also resolves Mixed Content attacks where insecure HTTP script is loaded from a site secured via a HTTPS connection.
“When we initially announced HSTS in Windows 10, we noted that mixed content is not supported on servers supporting HSTS. With today’s updates, this is still the case in Microsoft Edge on Windows 10 – mixed content is always blocked on these servers,” Pflug said. “For Internet Explorer 11 on Windows 10, Windows 8.1, and Windows 7, the Information bar will prompt the user to proceed in mixed content scenarios.”