Firefox is going to start forcing HTTPS usage for sensitive websites, to thwart man-in-the-middle attacks

After reading the title of this article, you must be thinking “sounds like what HTTPS Everywhere does”. No, not exactly.

You see there are some websites out there that use HTTP Strict Transport Security (HSTS), a protocol that forces browsers to default to HTTPS when connecting to the website in question. In other words, people cannot connect to a website that uses HSTS via HTTP. The issue with HSTS is when a browser connects to a website that uses HSTS for the first time, the browser does not know that the website uses HSTS (because the website server has not told it so, yet) and thus does not know that HTTPS should be used. Only when the browser gets the message from the server that HTTPS is required does the browser use HTTPS. Anyone using hacking techniques, such as man-in-the-middle attacks, can prevent browsers from using HTTPS on HSTS-supported websites by simply preventing the HSTS command from reaching the browser. If a browser doesn’t know it should use HTTPS on a website, it will default to HTTP. A new feature in Firefox aims to plug this security loophole.

The latest Beta version of Firefox includes a list of websites known to use HSTS. This means Firefox knows that a website requires HTTPS before the browser connects to a website, and Firefox will not allow users to connect to these websites in HTTP. Having this knowledge beforehand mitigates the risk from man-in-the-middle attacks because Firefox knows a website requires HTTPS. If Firefox ever connects to a website in its HSTS list in HTTP, then Firefox will abort the connection, assuming that something has gone wrong. For HSTS websites, no HTTPS = no go.

With a seemingly simple fix, I’m not sure why Mozilla didn’t implement it earlier. After all, Google Chrome already has it.

Related Posts