Firefox 4 Secures HTTPS - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile // Mobile Applications

Firefox 4 Secures HTTPS

Like Google Chrome, Mozilla's upgraded browser implements HTTP Strict Transport Security, enabling Web sites to specify when only HTTPS pages should be used.

Slideshow: Top 12 Firefox Add-Ons
(click for larger image and for full slideshow)
Mozilla's new Firefox 4 browser, released on Tuesday, includes a number of enhanced security features, including tools for opting out of tracking, forgetting, sites and combating malware. But there's another important new feature that wasn't documented: support for HTTP Strict Transport Security (HSTS).

"While HSTS may not be the sexiest security feature for the average Joe, I was thrilled to see it implemented in the world's second most popular browser," said Chester Wisniewski, a senior security advisor at Sophos Canada, in a blog post.

Already supported in Google Chrome since September 2009, HSTS is an Internet Engineering Task Force draft specification, first published in 2009, for better securing HTTPS pages. From a user's standpoint, what's most noticeable is that it turns insecure links into secure ones, and blocks access to Web sites that lack the right types of digital certificates.

Using HSTS solves a persistent problem with secure Web sites, which is not knowing when a site should be serving secure pages. As a result, an attacker could strip out the SSL from an SSL-secured page, via a man-in-the-middle attack, thus downgrading the page to regular HTTP. As a result, the attacker could eavesdrop on communications, and a user would likely never notice.

But by using HSTS, Web sites can specify -- after the first time a user visits the site -- how the user's browser should subsequently handle the site's HTTPS pages, as well as how frequently it should update the site's digital certificate. As a result, "online banking sites, financial sites or even Facebook and Gmail now have the option to not only enforce HTTPS for users of compliant browsers, but also limit the ability for users to harm themselves through a lack of understanding of technical warnings," said Wisniewski.

Beyond HSTS, other security and privacy features in Firefox 4 include a Do Not Track flag which, if respected by advertisers, could be used to opt out of behavioral profiling. Firefox 4 also includes integration with desktop antivirus for scanning downloads, plus anti-phising and anti-malware tools, a private browsing mode, and content security policies aimed at blocking cross-site scripting attacks.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
11 Things IT Professionals Wish They Knew Earlier in Their Careers
Lisa Morgan, Freelance Writer,  4/6/2021
Time to Shift Your Job Search Out of Neutral
Jessica Davis, Senior Editor, Enterprise Apps,  3/31/2021
Does Identity Hinder Hybrid-Cloud and Multi-Cloud Adoption?
Joao-Pierre S. Ruth, Senior Writer,  4/1/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Successful Strategies for Digital Transformation
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll