Firefox Forces Secure HTTPS Connections for Some Domains

While HSTS has been supported since Firefox 4, Mozilla is now following Google's lead to implement a preloaded list of websites that are contacted using HTTPS by default:

"Our preload list has been seeded with entries from Chrome’s list of a similar function," wrote Mozilla's David Keeler in a blog post. "To build our preload list, a request is sent to every host. Only if a host responds with a valid HSTS header with an appropriately large max-age value (currently 10886400, which is eighteen weeks) do we include it in our list. We also see if the includeSubdomains value for the entry on Chrome’s list is the same as what we receive in the response header (if they do not match, we use the one we receive)."

The approach is designed to mitigate a potential vulnerability that would allow an attacker to prevent a browser from securely connecting to a site via HSTS. With forced HSTS, the browser will never connect to an included website via an insecure (HTTP) protocol.

Users of Google Chrome can go a step further and control individual sites via the interface at chrome://net-internals/#hsts, which enables users to add or delete HSTS websites.

The current Firefox Beta can be downloaded here.

 

Contact Us for News Tips, Corrections and Feedback

Create a new thread in the US News comments forum about this subject
This thread is closed for comments
11 comments
    Your comment
    Top Comments
  • This is the kind of thing I like hearing about. You know, actual tech news.
    22
  • Not saying this is the same as https everywhere plugin, but I alrady have a plugin that handles this! That is why I like Firefox, the plugins
    12
  • Other Comments
  • This is the kind of thing I like hearing about. You know, actual tech news.
    22
  • Would be interesting if there was a way to test browsers' security.

    Maybe one method is trial-by-fire:

    Visit known infected websites, and see how many infections the computers pick up.
    4
  • Is this why I can't go to www.msn.com using firefox without signing in with a Windows Live ID?
    Cause I tested going to msn using IE and it didn't require that I sign in..
    Edit: Sorry.. I just noticed this new feature is in the Beta only, which I am not using. So my firefox/msn issue stems from something else.. grrr..
    1