Firefox to make life harder for HTTPS snoopers
Mozilla has equipped its latest Firefox beta, 17, with a list of domains for which the browser must use HTTPS encryption for all communications. The feature is designed to prevent man-in-the-middle attackers from reading and manipulating plain text data traffic when particularly sensitive pages are accessed. The list complements the Strict Transport Security (HSTS) HTTP header extension that enables servers to force browsers to establish HTTPS connections only.
The problem with the HSTS feature is that many users access the HTTP version of a web site and rely on being redirected to the HTTPS version when required. However, attackers on the same network can freely intercept and manipulate HTTP requests to, for example, prevent a redirection or send users to a different site altogether. In the case of HSTS, the user's browser will be informed whether the communication partner uses HSTS through HTTP, an insecure channel.
Now, Firefox will be able, in many common cases, to use its preloaded lists to find out about HSTS even before the connection has been established; it can then directly use HTTPS to connect to a server even if the user has actually tried to access the HTTP version of a site. Google Chrome has maintained such a list for several months. According to the Mozilla developers, the Firefox list originates from the same Chromium project list. The developers say that they have further checked the individual hosts and only added them to their list if the site's HSTS header says the max-age, the time the header can be assumed to apply for, is at least 18 weeks. Mozilla developers have also allowed sites to override their entry on the list by setting their HSTS max-age to zero.