Firefox joins Chrome in supporting HTTP Strict Transport Security (HSTS)

Firefox logoAlthough the Firefox team has an entire page on the website dedicated to the new security features in Firefox 4, they seem to have forgotten to mention HTTP Strict Transport Security (HSTS).

While HSTS may not be the sexiest security feature for the average Joe, I was thrilled to see it implemented in the world’s second most popular browser. Google Chrome has supported HSTS since September, 2009 in versions and higher.

What is HSTS? Currently it is a draft RFC that tries to address some of the insecurities present in the HTTPS specification.

The easiest way to describe the core idea is that it allows a website operator to describe how they want the use of SSL to be handled for their domain. Supporting web browsers will honor HTTP headers and ensure this security policy is applied.

As an example, has elected to use HSTS headers on their service. The first time you visit from a compliant browser, your browser will receive a header that explains that PayPal should only be accessed via HTTPS and that any browser certificate errors should not allow the user to override them.

Sophos SSL cert

When specifying this header the website can also specify a Time To Live (TTL). This allows the updating of security certificates and changes in certificate authorities without a denial of service.

After receiving this header, if you try to surf to, your browser will automatically intercept the request and not send anything unencrypted across your network connection so long as you visit the site before the TTL expires. It will reformat your request to HTTPS and only communicate over SSL/TLS with PayPal.

The second important action is the ability for sites to not allow you to override certificate errors. We have mentioned previously the tendency for every day internet users to click yes/accept/ok to any prompt that is presented.

Online banking sites, financial sites or even Facebook and GMail now have the option to not only enforce HTTPS for users of compliant browsers, but also limit the ability for users to harm themselves through a lack of understanding of technical warnings.

I hope that Microsoft and Apple adopt this draft standard sooner rather than later to provide security for nearly all web surfers. While it has not yet been ratified, this proposal has my support and can make the web a safer place.