doggy-blindsIt was revealed in 2009 that with just five requirements, one of which is a cold beer, another being a freely-available piece of code called SSLstrip, you (or the Iranians) may execute a man-in-the-middle attack on your victim’s network by listening for, intercepting and siphoning information from HTTPS/SSL requests, the sort your victim’s browser may make when logging into his bank, putting in his bank account, social security number, passwords – you get the idea.

Various things were developed to mitigate this vulnerability, including, most notably, a specification for the HTTP Strict Transport Security (known as HSTS) response header in 2009 that websites could issue to instruct visiting browsers to jump to SSL the site they’re visiting and always, and only, to use SSL, both during that session and sessions thereafter, between which time those browsers would not be susceptible to this attack. This proposal, already implemented in progressive browsers like Chrome, Opera and Firefox, was rubberstamped by the IETF as an official Internet standard (RFC 6797) last year.

Yet Microsoft has not implemented support for HSTS in Internet Explorer!

Normally I can understand that Microsoft just prefers to wait a few years before making progress, but in this case it’s about a glaring commonly-exploited security vulnerability from a previous decade that they could easily mitigate for millions of people, and it’s been around long enough to become an official Internet standard. I suppose the question is, does the problem lie with Microsoft, or with you proud IE and Bing users who just don’t care about this sort of poppycock?

Doug Simmons