Mozilla has added a list of sites to its Firefox browser that can only be connected to via secure conenctions to improve security.
The move is meant to improve the use of HSTS (HTTP Strict Transport Security) – a mechanism where a webserver declares that a web browser can only interact with it using secure connections such as HTTPS. According to a blog post by Mozilla’s David Keeler, HSTS can be an effective tool for protecting the privacy and security of users. However, when connecting to an HSTS host for the first time, the browser does not know whether or not to use a secure connection because it has never received an HSTS header from the host, he explained.
“Consequently, an active network attacker could prevent the browser from ever connecting securely (and even worse, the user may never realize something is amiss),” he blogged. “To mitigate this attack, we have added to Firefox a list of hosts that want HSTS enforced by default. When a user connects to one of these hosts for the first time, the browser will know that it must use a secure connection. If a network attacker prevents secure connections to the server, the browser will not attempt to connect over an insecure protocol, thus maintaining the user’s security.”
The move follows a similar step taken by Google to secure its Chrome browser, which mandates a secure connection for some sites.
“To build our preload list, a request is sent to every host with ‘mode: “force-https”’ on Chrome’s list,” Keeler wrote. “Only if a host responds with a valid HSTS header with an appropriately large max-age value (currently 10886400, which is eighteen weeks) do we include it in our list. We also see if the includeSubdomains value for the entry on Chrome’s list is the same as what we receive in the response header (if they do not match, we use the one we receive).”
The feature is currently in Firefox beta.
