Mozilla is adding an extra layer of security in its Firefox browser by implementing HTTP Strict Transport Security (HSTS), a mechanism that will force some sites into establishing a secure, HTTPS connection with the browser if its presented with the right certificate.
According to an entry on Mozilla’s Security Blog late last week, the sites are culled from a list of hosts that have requested their sites be accessed by HSTS by default. Also included are sites present on a list compiled by a similiar HSTS function in Google Chrome, such as Lastpass.com, Paypal.com and Twitter.com. Once these sites send a valid security header to the browser and the server is authenticated, Firefox connects.
The post, penned by Mozilla’s David Keeler, rationalizes the creation of the mechanism by explaining how an attacker could otherwise confuse a browser into thinking it was connecting safely.
“When a user connects to one of these hosts for the first time, the browser will know that it must use a secure connection. If a network attacker prevents secure connections to the server, the browser will not attempt to connect over an insecure protocol, thus maintaining the user’s security,” Firefox claims.
The feature is currently in Firefox Beta, yet given its usual release schedule, should see the light of day in a few weeks in Firefox 17.
Hoping to combat attackers who target plug-in and extension vulnerabilities in the browser, Firefox added a click-to-play feature to its beta build last month. That function uses a blacklist to help block outdated and at risk versions of extensions and plug-ins from running, warning users they’ve been deactivated before they can be used.
