August 27, 2010, 2:06PM
Firefox 4 to Include HTTP Strict Transport Security Support
Comment 
In an effort to help mitigate man-in-the-middle attacks that make normal HTTP connections look like secured HTTPS sessions, Mozilla is adding support in Firefox 4 for a new technology called HTTP Strict Transport Security that enables site operators to tell browsers to always request an HTTPS session on future visits.
The technology, which is also known as ForceTLS, is currently an IETF draft specification and Mozilla officials say it should give users more confidence in HTTPS connections over time. Right now, the existence of HTTPS in front of a URL in a browser's address bar is nothing close to a guarantee that the connection is actually a secure one. There are myriad man-in-the-middle attack scenarios that introduce a high level of uncertainty for SSL connections.
However, the inclusion of HTTP Strict Transport Security in Firefox is another step toward establishing a higher degree of trust in HTTPS connections. Firefox 4 currently is in beta and is scheduled to be released by the end of the year.
Editor's Pick
"A while ago, we talked about Force-TLS that lets sites say “hey, only access me over HTTPS in the future” and the browser listens. Well, this idea has been solidified into a draft spec for HTTP Strict Transport Security (HSTS) and we’ve landed support for it into our source tree. This means that HSTS will be shipped with Firefox 4, and will be deployed as soon as the next beta release," Mozilla's Sid Stamm said in a blog post Friday. "We’re excited about this because it enables sites to easily give their users lots more protection from man-in-the-middle attacks when they’re using an untrustworthy network."
In order for this to work on a given site, the site operator has to specify in the site's HTTP headers that the site is requesting an HTTPS connection on all connection attempts. So the technology still is reliant on Web sites to take the lead on providing better transport security for users.
"A website can specify strict transport security for their domain via an HTTP header sent by the server set during an HTTPS response:
Strict-Transport-Security: max-age=15768000
or
Strict-Transport-Security: max-age=15768000 ; includeSubDomains
max-age sets how long to remember the forced HTTPS (seconds). If
includeSubDomains is set, then this rule will apply to all the sub-domains too," Mozilla's Paul Rouget said in a post on the Mozilla Hacks blog.
Commenting on this Article is closed.
Today's Most Popular
- Yahoo Includes Private Key in Source File For Axis Chrome Extension
- Researchers Unveil New Way to Trust Certificates
- FBI Warns Top Firms Of Anonymous Protest Hacks on May 25
- DNSChanger Lingers: 330k Systems Still Infected, 77,000 In The U.S.
- Defense Contractor Northrop Grumman Hiring For Offensive Cyber Ops
Most Commented Stories
-
Forget 'Brogrammers,' Women Have The Edge In DEFCON Social Engineering Contest (10)
-
Defense Contractor Northrop Grumman Hiring For Offensive Cyber Ops (14)
-
Facebook Cancellation Malware Disguised As Adobe Update Making Rounds (3)
-
HULK DDoS Tool Smash Web Server, Server Fall Down (4)
-
How to Break Google Chrome in Six Easy Steps (2)
Newsletter Sign-up
Take Our Poll
The Internet Crime Complaint Center recently warned of malware targeting travelers connecting to Wi-Fi. When traveling, do you
Connect to anything
21%
Only connect to password-protected, secure connections
39%
Only use websites with HTTPS
27%
I don’t pay attention to how I access the internet while traveling
13%
Total votes: 70
Follow Threatpost
 |  |  |  |
| Tumblr |
