Sign in with
Sign up | Sign in

Firefox Forces Secure HTTPS Connections for Some Domains

By - Source: Mozilla | B 11 comments

Mozilla announced that current Firefox Beta versions now come with a feature that forces HTTPS connections to certain sites via HSTS (HTTP Strict Transport Security).

While HSTS has been supported since Firefox 4, Mozilla is now following Google's lead to implement a preloaded list of websites that are contacted using HTTPS by default:

"Our preload list has been seeded with entries from Chrome’s list of a similar function," wrote Mozilla's David Keeler in a blog post. "To build our preload list, a request is sent to every host. Only if a host responds with a valid HSTS header with an appropriately large max-age value (currently 10886400, which is eighteen weeks) do we include it in our list. We also see if the includeSubdomains value for the entry on Chrome’s list is the same as what we receive in the response header (if they do not match, we use the one we receive)."

The approach is designed to mitigate a potential vulnerability that would allow an attacker to prevent a browser from securely connecting to a site via HSTS. With forced HSTS, the browser will never connect to an included website via an insecure (HTTP) protocol.

Users of Google Chrome can go a step further and control individual sites via the interface at chrome://net-internals/#hsts, which enables users to add or delete HSTS websites.

The current Firefox Beta can be downloaded here.

 

Contact Us for News Tips, Corrections and Feedback

Display 11 Comments.
This thread is closed for comments
Top Comments
  • 22 Hide
    s3anister , November 3, 2012 4:04 AM
    This is the kind of thing I like hearing about. You know, actual tech news.
  • 12 Hide
    phatboe , November 3, 2012 6:22 AM
    Not saying this is the same as https everywhere plugin, but I alrady have a plugin that handles this! That is why I like Firefox, the plugins
Other Comments
  • 22 Hide
    s3anister , November 3, 2012 4:04 AM
    This is the kind of thing I like hearing about. You know, actual tech news.
  • 4 Hide
    A Bad Day , November 3, 2012 4:08 AM
    Would be interesting if there was a way to test browsers' security.

    Maybe one method is trial-by-fire:

    Visit known infected websites, and see how many infections the computers pick up.
  • 1 Hide
    techcurious , November 3, 2012 4:25 AM
    Is this why I can't go to www.msn.com using firefox without signing in with a Windows Live ID?
    Cause I tested going to msn using IE and it didn't require that I sign in..
    Edit: Sorry.. I just noticed this new feature is in the Beta only, which I am not using. So my firefox/msn issue stems from something else.. grrr..
  • 12 Hide
    phatboe , November 3, 2012 6:22 AM
    Not saying this is the same as https everywhere plugin, but I alrady have a plugin that handles this! That is why I like Firefox, the plugins
  • 0 Hide
    Cryio , November 3, 2012 7:45 AM
    To Nightly users: You didn't tell us about this 2 version ago :-L
    To Waterfox users (and me): Well, let's just wait for the version update.
  • 0 Hide
    Cryio , November 3, 2012 7:45 AM
    phatboeNot saying this is the same as https everywhere plugin, but I alrady have a plugin that handles this! That is why I like Firefox, the plugins


    Extension*.
  • 1 Hide
    Pherule , November 3, 2012 9:44 AM
    This should have been implemented in all major browsers years ago. This is what makes me believe that browser developers have their heads perma-stuck in the sand.

    Firefox's devs seem to be slowly waking up though. They're even addressing the UI lag issues (gasp!)
  • 0 Hide
    A Bad Day , November 3, 2012 1:36 PM
    PheruleThis should have been implemented in all major browsers years ago. This is what makes me believe that browser developers have their heads perma-stuck in the sand.


    Can you really blame them for trying to work around poorly-coded websites that violate standards and sub-par 3rd party plugins?
  • 0 Hide
    JonnyDough , November 4, 2012 7:15 AM
    No, but that's not what it's for. It's so that we don't type in yourbankname.com and instead of going to your bank's website go to one that looks similar where you enter your sign in info. Some websites will take your personal info, and then redirect you to the correct site. This gains access to your bank account. The "HTTPS" moniker in front of "WWW." ensures a secure connection with your bank, and now your address bar will know which websites to use "HTTPS" instead of "HTTP", which is unsecured.
  • 0 Hide
    Pherule , November 4, 2012 10:49 AM
    JonnyDoughsnip

    I don't know about you, but I use HTTPS to stop my ISP from spying on me. I don't care whether a website is secure or not, I just care that my ISP can't track what I look at on said site. I couldn't give a stuff about banking sites. I do my banking IRL, not online.
  • -2 Hide
    lloyd adams , November 4, 2012 11:46 PM
    my neighbor's mom makes $89 hourly on the laptop. She has been out of work for eight months but last month her payment was $16250 just working on the laptop for a few hours. Here's the site to read more Ace60.cℴm