Firefox to force secure connections for selected domains
Forcing secured connections protects the privacy and security of users and their data, Mozilla said
IDG News Service - Mozilla introduced a pre-loaded list of domains for Firefox that only can be connected to securely in order to help protect the privacy and security of users.
To force secure connections between the browser and a server, Mozilla uses HSTS (HTTP Strict Transport Security), a mechanism used by servers to indicate that the connecting browser must use a secure connection, wrote Mozilla's David Keeler in a blog post.
When the browser connects to an HSTS server for the first time though, the browser does not know if it should use a secure connection because it never received a HSTS header from that host. "Consequently, an active network attacker could prevent the browser from ever connecting securely (and even worse, the user may never realize something is amiss)", Keeler wrote, adding that setting up the connection that way still leaves it vulnerable to attacks.
As a workaround for that problem, Mozilla has added a list to Firefox with domains that the browser should only connect to securely by default.
"When a user connects to one of these hosts for the first time, the browser will know that it must use a secure connection. If a network attacker prevents secure connections to the server, the browser will not attempt to connect over an insecure protocol, thus maintaining the user's security," Keeler said.
The list has been seeded by domains from Chrome's HSTS preloaded list, that has a similar function to Mozilla's. Google's Chrome forces a secure connection for all google.com subdomains but also added forced HTTPS connections for sites that have requested it. Secure connections are forced for sites such as paypal.com, twitter.com, lastpass.com and torproject.org.
"HSTS in combination with a preloaded list of sites can be a great tool for increasing the security of users," Keeler wrote. The feature is currently only present in Firefox Beta.
Loek is Amsterdam Correspondent and covers online privacy, intellectual property, open-source and online payment issues for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to firstname.lastname@example.org
- Securing Mobility, From Device to Network At one time, the process of managing and securing mobile devices and applications was fairly straightforward. Most organizations worried about one application (email)...
- Data Protection eGuide In this eGuide, CSO and sister publications IDG News Service, Computerworld, and CIO pull together news, trend, and how-to articles about the increasingly...
- Warning: Cloud Data at Risk Experts agree that relying on SaaS vendors to backup and restore your data is dangerous. Yet that's exactly what huge portions of the...
- The Opportunities and Challenges of the Cloud In this report F5 poses questions to IDC analysts, Sally Hudson and Phil Hochmuth, on behalf of F5's customers to better understand the...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!