Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Mozilla Firefox Beta Mandates Use of Secure Connections for Certain Sites

Mozilla has added a list of sites to its Firefox browser that can only be connected to via secure conenctions to improve security.

Mozilla has added a list of sites to its Firefox browser that can only be connected to via secure conenctions to improve security.

The move is meant to improve the use of HSTS (HTTP Strict Transport Security) – a mechanism where a webserver declares that a web browser can only interact with it using secure connections such as HTTPS. According to a blog post by Mozilla’s David Keeler, HSTS can be an effective tool for protecting the privacy and security of users. However, when connecting to an HSTS host for the first time, the browser does not know whether or not to use a secure connection because it has never received an HSTS header from the host, he explained.

“Consequently, an active network attacker could prevent the browser from ever connecting securely (and even worse, the user may never realize something is amiss),” he blogged. “To mitigate this attack, we have added to Firefox a list of hosts that want HSTS enforced by default. When a user connects to one of these hosts for the first time, the browser will know that it must use a secure connection. If a network attacker prevents secure connections to the server, the browser will not attempt to connect over an insecure protocol, thus maintaining the user’s security.”

The move follows a similar step taken by Google to secure its Chrome browser, which mandates a secure connection for some sites.

 “To build our preload list, a request is sent to every host with ‘mode: “force-https”’ on Chrome’s list,” Keeler wrote. “Only if a host responds with a valid HSTS header with an appropriately large max-age value (currently 10886400, which is eighteen weeks) do we include it in our list. We also see if the includeSubdomains value for the entry on Chrome’s list is the same as what we receive in the response header (if they do not match, we use the one we receive).”

The feature is currently in Firefox beta.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.