Mozilla takes steps to adopt strict HTTP

Mozilla is taking baby steps of sorts to adapt to the new HSTS (HTTP Strict Transport Security) mechanism aimed at protecting users' privacy and security.

 

In a blog post, Mozilla said its latest Firefox Beta comes with an initial list of hosts that specify HSTS must enforced by default.

 

"HSTS is a mechanism by which a server can indicate that the browser must use a secure connection when communicating with it. It can be an effective tool for protecting the privacy and security of users and their data," Mozilla said.

 

However, it also noted the browser may not know whether to use a secure connection when it connects to a host using HSTS for the first time, as it has never received an HSTS header.

 

Mozilla also noted an active network attacker may prevent the browser from connecting securely in the first place.

 

"To mitigate this attack, we have added to Firefox a list of hosts that want HSTS enforced by default. When a user connects to one of these hosts for the first time, the browser will know that it must use a secure connection," it said.

 

Mozilla added that if a network attacker prevents secure connections to the server, Firefox will not attempt to connect over an insecure protocol.

 

Mozilla said the preload list has entries from a similar list for Google's Chrome browser.

 

It said the list includes hosts with HSTS headers good for about 18 weeks. - SFP/VVP, GMA News