In an effort to help mitigate man-in-the-middle attacks that make normal HTTP connections look like secured HTTPS sessions, Mozilla is adding support in Firefox 4 for a new technology called HTTP Strict Transport Security that enables site operators to tell browsers to always request an HTTPS session on future visits.
The technology, which is also known as ForceTLS, is currently an IETF draft specification and Mozilla officials say it should give users more confidence in HTTPS connections over time. Right now, the existence of HTTPS in front of a URL in a browser’s address bar is nothing close to a guarantee that the connection is actually a secure one. There are myriad man-in-the-middle attack scenarios that introduce a high level of uncertainty for SSL connections.
However, the inclusion of HTTP Strict Transport Security in Firefox is another step toward establishing a higher degree of trust in HTTPS connections. Firefox 4 currently is in beta and is scheduled to be released by the end of the year.
“A while ago, we talked about Force-TLS
that lets sites say “hey, only access me over HTTPS in the future” and
the browser listens. Well, this idea has been solidified into a draft spec
for HTTP Strict Transport Security (HSTS) and we’ve landed support for
it into our source tree. This means that HSTS will be shipped with
Firefox 4, and will be deployed as soon as the next beta release,” Mozilla’s Sid Stamm said in a blog post Friday. “We’re excited about this because it enables sites to easily give
their users lots more protection from man-in-the-middle attacks when
they’re using an untrustworthy network.”
In order for this to work on a given site, the site operator has to specify in the site’s HTTP headers that the site is requesting an HTTPS connection on all connection attempts. So the technology still is reliant on Web sites to take the lead on providing better transport security for users.
“A website can specify strict transport security for their domain via an HTTP header sent by the server set during an HTTPS response:
Strict-Transport-Security: max-age=15768000 ; includeSubDomains
max-age sets how long to remember the forced HTTPS (seconds). If
includeSubDomains is set, then this rule will apply to all the sub-domains too,” Mozilla’s Paul Rouget said in a post on the Mozilla Hacks blog.