
HTTP Strict Transport Security Comes to Internet Explorer - cleverjake
http://blogs.msdn.com/b/ie/archive/2015/02/16/http-strict-transport-security-comes-to-internet-explorer.aspx
======
konklone
This is fantastic news! And they decided to include the Chromium HSTS Preload
list too. I've submitted something like ~30 domains to the list, and having
them covered in newer versions of IE automatically is a very nice thing.

~~~
mikecb
How long until that list of yours is just *.gov?

~~~
toomuchtodo
A while. It takes a significant amount of effort to effect change in the IT
infrastructure of every organization within the US government. (konklone does
mention this in their Reddit post in /r/netsec)

Progress is progress.

~~~
mikecb
Indeed. I was eager to learn more about their specific strategy to achieve it.

~~~
konklone
There's not a master plan, but there's several promising lines of work
happening. Hopefully 2015 will be a fun year. Tomorrow, I'll be on Federal
News Radio in the morning, preaching the gospel to DC commuters.

~~~
mikecb
Link for those interested:
[http://www.federalnewsradio.com/?nid=1269&sid=3801434](http://www.federalnewsradio.com/?nid=1269&sid=3801434)

------
mrbig4545
until it's not longer tied to windows versions, ie will always be a problem

~~~
higherpurpose
Don't know why you are downvoted but that's true. Windows versions tend to be
long-lasting. If Microsoft keeps tying browsers to them, then they will always
have browsers that remain behind for 5+ years.

And of course the next IE12/"Spartan" will be tied to Windows 10...so this
won't change anytime soon apparently.

~~~
mrbig4545
I don't know either, but that's HN for you. meh

It's a shame though, because the new IE isn't so bad, but while I have to
develop for IE8 it's as good as useless :(

~~~
eli
Though the only people "stuck" on IE8 are XP users, which is indeed in rapid
decline.

~~~
mrbig4545
True, but after that I'll still be stuck on IE9, and the trend will continue.

~~~
eli
I think that's called progress :)

~~~
mrbig4545
It would be much better progress if they could use the latest IE on whatever
version of windows, rather than being forced develop for the lowest common
denominator.

Chrome has it right, it's always the latest version, and firefox is better
than it used to be, but even then they didn't say "sorry, you need the latest
windows to use this version, here, have this 4 year old version instead"

It's ridiculous, and I can't think of one valid technical reason for it

~~~
Klathmon
You really can't think of a technical reason?

Now I am not involved with IE at all, but i think it's safe to assume that
they are most likely using new APIs which are specific to that platform.

Now that's not an excuse, as they could write in fallbacks for platforms that
don't have this, but it's definitely a valid reason.

------
realityking
Does that make Safari the last browser without a preload list for HSTS?

~~~
netheril96
Have you looked at ~/Library/Cookies/HSTS.plist?

~~~
cpach
That list doesn’t seem to be preloaded. I checked mine and it only has 187
items in it. So I guess they store the preloaded list somewhere else.

~~~
netheril96
Probably that they have a different organization than the preloaded list you
find elsewhere.

When you delete that HSTS.plist and restart your Safari, the same file will
pop up again, containing the same entries (if you haven't modified it before).
So it is reasonable to assume that the list is preloaded rather than gradually
built up.

------
notexcited
Are they really sure this feature is "exciting"? It's a welcome change for
sure, but I can't quite see them beaming with joy or writhing orgasmically,
simply due to an implementation of HSTS. An odd fetish, indeed.

~~~
higherpurpose
Apparently it's becoming a thing to cheer for Microsoft when it implements a
feature in its browser that others have had for years. It's like cheering for
the 10th guy who crossed the finishing line instead of the first.

~~~
SEJeff
Firefox has had HSTS support since version 4 and Chrome has had it since
4.0.211.0. Indeed, it is great to see Microsoft do this, but too little too
late?

