This article is about a new HTTPS header: Strict-Transport-Security
, which force a website to be fetched through HTTPS. This feature will be part of Firefox 4.
How do you type URLs?
Do you prefix them with http:// or https:// systematically? Or do you just type example.com and let your browser add http://, like most of the people do?
If a web page provide has an https version but you access it through http, what happens? The http version of the Website re-direct you to the https, but you first talked to the non-encrypted version of the website.
These behaviors can be exploited to run a man-in-the-middle attack.
To avoid this, you may want to force your website to be visited through https to transform any http://x.com request to https://x.com (with no client-server dialog).
Sid Stamm recently integrated HTTP Strict Transport Security (HSTS) into
Firefox. HSTS, specified in an IETF draft, allows sites to specify when they wish to be accessed only over https.
A website can specify strict transport security for their domain via an HTTP header sent by the server set during an HTTPS response:
Strict-Transport-Security: max-age=15768000
or
Strict-Transport-Security: max-age=15768000 ; includeSubDomains
max-age
sets how long to remember the forced HTTPS (seconds). If
includeSubDomains
is set, then this rule will apply to all the sub-domains too.
In the future, any requests to x.com are modified to be via https if they are attempted through http before the request hits the network.
This header is not considered during a non-encrypted HTTP transaction because the User-Agent doesn’t know if the https actually exists and also because the header can be injected by an attacker.
About Paul Rouget
Paul is a Firefox developer.
41 comments