News

Automatic HTTPS Preview for Microsoft Edge Browser Now Available

• By Kurt Mackie
• 06/01/2021

Microsoft on Tuesday announced an Automatic HTTPS preview feature for the Microsoft Edge browser.

The Automatic HTTPS feature is currently available to Microsoft Edge Insider program participants using either the "Canary" or "Developer" distribution channels. It's available using version 92 of the Edge browser, but testers have to turn it on to use it.

Automatic HTTPS promises better security when users browse Web sites that still use the old HTTP protocol, where the connections aren't encrypted. Sites based on HTTP permit so-called "man-in-the-middle" types of attacks. Under this scheme, traffic can be intercepted and altered by an attacker. Moreover, users can be redirected to other sites than the ones they have selected.

Automatic HTTPS Preview Options
Microsoft's Automatic HTTPS preview gives end users a couple of options. They can set the feature to "switch to HTTPS only on websites likely to support HTTPS." Alternatively, they can opt to "always switch from HTTP to HTTPS," although there could be more connection errors using this latter option.

The first option, switching to sites likely to support HTTPS, is based on a list that Microsoft keeps. This option also upgrades the site's "same-host active subresources" to HTTPS. It turns out that some sites use a mixture of HTTPS and HTTP, which can be a security issue.

Examples of such active content subresources include "scripts, iframe sources, and fetch() requests," Microsoft explained. Its best-practices advice to Web site developers is to use HTTPS across both site documents and subresources.

In some cases, site developers may have added support for HTTPS, but they haven't required the use of it. Microsoft described that circumstance as offering "a short window of opportunity to attackers before the site can redirect to the more secure protocol." Some sites don't even redirect users to HTTPS. Microsoft's Automatic HTTPS feature seems to be a response to those two circumstances.

The Automatic HTTPS Edge browser feature seems to be very much akin to the Electronic Frontier Foundation's HTTPS Everywhere browser plug-in, which was launched a decade ago. The main difference appears to be that Microsoft's Automatic HTTPS feature is built into the Edge browser, rather than being a plug-in that needs to be installed.

Compliance Extension for Chrome Browser
In other browser security news, Microsoft late last month announced the commercial release of the Microsoft Compliance Extension for the Google Chrome browser.

The extension can be leveraged by organizations to enforce Microsoft Data Loss Prevention policies when users access files containing sensitive information. It's available here from the Google Chrome Web Store and it lets organizations use Chrome as an approved browser.

The Compliance Extension for Chrome can do things like block the printing of sensitive files. It can restrict file uploads to just trusted service domains. IT pros can view Chrome-related events in the Microsoft 365 Compliance Center portal.

The classification of files happens via the Microsoft Information Protection labeling scheme, which tracks more than "150 sensitive information types." The extension also works with Microsoft Defender and Insider Risk Management solutions.

The Compliance Extension for Chrome feature depends on organizations using the "Microsoft 365 Compliance Suite." It also apparently requires having a Microsoft 365 E5 subscription.