Now Reading
Microsoft brings HSTS to Internet Explorer 11 in Windows 7 and 8.1

Microsoft brings HSTS to Internet Explorer 11 in Windows 7 and 8.1

by AshwinJune 10, 2015

HTTP Strict Transport Security comes to Internet Explorer 11 on Windows 8.1 and Windows 7.


Microsoft may be concentrating on Windows 10, but it isn’t forgetting its older operating systems just yet.

The Redmond Company is rolling out a new security feature for Windows 7 and Windows 8.1 computers.

Microsoft has released a Windows Update, which brings support for a new protocol in Internet Explorer. The new feature is called HTTP Strict Transport Security, and the abbreviation for which is HSTS.

If you have heard of the HTTPS protocol, (HTTP Secure), you will be pleased to know that HSTS is a similar security feature. What HSTS does, is that it tells a browser to only use HTTPS instead of the insecure HTTP (Hypertext Transfer Protocol).

HSTS protects the browser from Man-in-the-middle-atackers (hackers) who could hijack the TLS (Transport Layer Security) communication from servers, which could leave the user vulnerable.

HSTS is available in Internet Explorer 11, in Windows 7, Windows 8.1 and Windows 10 Insider Preview. It is also available in The Redmond Company’s new browser, Microsoft Edge. The support for HSTS is being added through Windows Update KB 3058518. (A Microsoft Knowledge base article is currently unavailable, but you can read this announcement from Microsoft)

Not all websites support HSTS. Microsoft will be using a HSTS preload list to redirect HTTP traffic to a secure HTTPS connection, using Chromium’s HSTS preload list. Websites not on the list can still use the HSTS in the header, which will be recognized by the browser.

Mixed Content is not supported in HSTS:

HTTPS ensures that a webpage is fully encrypted, and this provides security for the user. But when a webpage displays cleartext content, it suffers from a serious issue. The cleartext content is displayed is unencrypted, as a result of which the security is broken.

Attackers can use this loophole to modify the script of the website, which could eventually putting the user at risk.

However this is not the case in Windows 10. Microsoft Edge will block mixed content.

Internet Explorer 11 and Microsoft Edge aren’t the first browsers to support HSTS. Google Chrome, Mozilla Firefox, Apple Safari also support HSTS. But it is still great to see Microsoft rolling out support for features present in modern browsers.

Project Spartan has been evolving into an incredible browser. For now I use it sparingly, mostly for testing purposes and reading PDFs, but I think it could well replace Firefox as my default browser of  choice, but only when it graduates as Microsoft Edge, with full support for Extensions.