HTTP Strict Transport Security

Sid Stamm

4

A while ago, we talked about Force-TLS that lets sites say “hey, only access me over HTTPS in the future” and the browser listens. Well, this idea has been solidifed into a draft spec for HTTP Strict Transport Security (HSTS) and we’ve landed support for it into our source tree. This means that HSTS will be shipped with Firefox 4, and will be deployed as soon as the next beta release.

We’re excited about this because it enables sites to easily give their users lots more protection from man-in-the-middle attacks when they’re using an untrustworthy network.

Grab a nightly build, and let us know what you think! The folks over at PayPal are serving a Strict-Transport-Security header, if you’d like to check it out.

More Info:

Sid Stamm
Conspiracy Theorist

4 responses

  1. Imprimante wrote on :

    This good news for sensitive sites.

    It would be even better if HTTPS was the default access for all websites.

  2. Security Videos wrote on :

    This is really good news, protection is always a good thing, the pain is in implementing all these new protocols. Brilliant news, that it’s in the source tree, maybe we will see some updates on this in the future?

  3. Pasta wrote on :

    That is great news. I am grabbing a nightly build to test now. Thanks!

  4. Andrew wrote on :

    The HTTPS or HSTS connections are slowing down data transfer comparing with HTTP protocol? And why when i am accessing first time a https page Firefox ask me if i want to add a permanent certification,why doesn’t just skip this option?