It's using a preload list to know in advance which sites strictly require HTTPS

Nov 3, 2012 15:11 GMT  ·  By

HSTS, or HTTP Strict Transport Security, as the name suggests is a protocol which indicates that a browser must only use a secured HTTPS connection to a website.

The idea is to make it harder for attackers to hijack the connection and trick the browser into using an unencrypted connection.

This is a common trick for man-in-the-middle attacks and it can mean that, even though you can connect via HTTPS to a site and even though HTTPS would be used by default, you get connected via HTTP.

You may not even notice it, but all of your data will then be available to any attacker.

HSTS states that the browser must only connect via HTTPS to that site, no matter what. If an attacker tries to trick the browser into dropping to HTTP, the browser will ignore this.

There is one caveat though, the browser must know whether the site wants to always use HTTPS or not and to do that it has to first connect to it.

This first visit is crucial and it's a potential attack vector, if the browser never gets the HSTS header then it won't know to use it.

Chrome mitigates this, for some sites, by using a preloaded list, a list of sites that are known to use HSTS. This way, even if a user has never visited that site before, the browser will know it requires HTTPS and act accordingly.

Now, Firefox does the same, in fact it's using Chrome's list of sites as a starting point. The latest Firefox 17 Beta already includes this preload list.

Mozilla built its own list by using Chrome's and then checking every site in there. It only included sites that had a max-age value of over 18 weeks.

Using a preload list raises the issue of what happens if a site decides to drop HSTS, i.e. the max-age is set to 0. In that case, the preload list is overridden to ensure that the site will function properly. This can lead to some issues in fringe examples, but overall, using the preload list should provide everyone with better security.