HSTS is currently available only on Edge and IE11. What will be its implication on lower browser versions (IE9 & IE10)? How will HSTS behave? Will there be any impact on the site?
1 Answers
A website implements HSTS by sending a Strict-Transport-Security
header. A browser that doesn't understand the header will simply ignore it, just like any other custom or malformed header.
Will there be any impact on the site?
The impact will be that the user becomes vulnerable to attacks that HSTS is supposed to protect against (i.e. HTTPS downgrade attacks). That is, if the user visits the site, their browser won't notice that the sites instructs them to remember to only connect to the host via HTTPS for a specified amount of time. So, if the user types in mybank.com
, their browser will always attempt to connect to the site via HTTP first instead of recalling the HSTS directive.
Besides the MITM threat (and the risk of running an outdated browser), there will be no impact on their browsing experience.
Somewhat related:
- 44,242
- 14
- 143
- 138