Mozilla Pushes HSTS Preloaded List on Firefox

HTTP Strict Transport Security (HSTS) is a security mechanism by which a web server can indicate to complying user agents (for instance, a web browser) to interact with it using only secure connection. The HSTS specification is currently an IETF Internet-Draft, and the security policy received approval on 2 October, 2012. Mozilla had announced on the company blog that it has added to Firefox a list of hosts that require HSTS enforced by default.

Firefox "Preloaded List" is seeded with domains from Chrome's HSTS preloaded list of a similar function.

The list building procedure is thus: a request is sent to every host with the mode: "force-https" on Chrome's list. And only host that respond with a valid HSTS header and appropriate large max-age value get included in the list.

HSTS can be an effective tool for protecting the privacy and security of users and their data online.

The "preloaded list" makes it even harder to exploit, as when connecting to an HSTS host for the first time, the browser may not know whether to use secure connection or not, because it has never received a HSTS header from that host. Subsequently, an attacker could exploit that to prevent the browser from connecting securely and a user may never detect that. But, the "preloaded list" helps to mitigate this nature of attack.

Mozilla has called upon developers to download the recent build and give it a spin which is currently available in Firefox Beta.
Next Post »