Mozilla recently introduced a pre-loaded list of domains for Firefox that can only be connected to securely in order to help protect the privacy and security of Firefox users. Mozilla is using HSTS in order to force secure connections between the browser and a server. HSTS, or HTTP Strict Transport Security, is a mechanism used by servers to indicate that the connecting browser must use a secure connection.
Whenever the browser connects to an HSTS server for the first time, however, the browser does not know if it should use a secure connection because it never received a HSTS header from that host. According to Mozilla’s David Keeler, “Consequently, an active network attacker could prevent the browser from ever connecting securely (and even worse, the user may never realize something is amiss).”
As a workaround for that problem, Mozilla has added a list to Firefox with domains that the browser should only connect to securely by default. “When a user connects to one of these hosts for the first time, the browser will know that it must use a secure connection. If a network attacker prevents secure connections to the server, the browser will not attempt to connect over an insecure protocol, thus maintaining the user’s security,” Keeler added.
The list has been seeded by domains from Chrome’s HSTS preloaded list, which has a similar function to Mozilla’s. Chrome forces a secure connection for all Google.com subdomains but also added forced HTTPS connections for sites that have requested it. In addition to that, secure connections are forced for sites such as PayPal, Twitter, LastPass and TorProject.
Keeler adds, “HSTS in combination with a preloaded list of sites can be a great tool for increasing the security of users.” This feature is currently only present in Firefox Beta, so it may be a little while before it gets put to full-scale use with the Firefox web browser.
Source: Computer World – Firefox to force secure connections for selected domains