Firefox 4+ Users:
Your browser already supports Strict-Transport-Security (equivalent to Force-TLS)! If you want the Force-TLS User Interface and the ability to manually force sites, the newest version (3.0.2) of Force-TLS will do that for you. (The add-on "sts-ui" is no longer maintained).

ForceTLS And Strict-Transport-Security
Sid Stamm (forcetls at sidstamm dot com)

ForceTLS is an adaptation of the ForceHTTPS protocol by Collin Jackson and Adam Barth, which supports a simple HTTP header in forcing automatic connections to HTTPS connections in the future. This helps prevent cookie theft and other man-in-the-middle attacks when you're using an insecure network. Here's how it works:

  1. A site x.com served via HTTPS provides a header X-Force-TLS in its response. The header contains a max-age value (how long to remember the forced TLS) and optionally an includeSubDomains flag.
  2. The browser recieves this header and adds it to a Force TLS database.
  3. In the future, any requests to x.com are modified to be via HTTPS if they are attempted through HTTP before the request hits the network.
  4. If any subdomains *.x.com are requested via HTTP and the includeSubDomains flag was set, they are also forced to be HTTPS.

How to use the add-on

The add-on more or less works autonomously in the background, so you shouldn't have to do much to help it work. If you want, you can enable debugging and watch status messages pop up in the Javascript error console. You can also add sites to the ForceTLS database yourself, and force HTTPS requests for sites that may not even know ForceTLS exists.

Enabling Debugging

To enable debugging, navigate to about:config and set the preference extensions.forcetls@sid.stamm.debug to "true". Watch errors show up in STDOUT or in the Javascript error console.

Manually adding sites

The UI provided by version 2.0 and newer contains an "add new" feature that makes adding sites manually really simple. Just choose the "ForceTLS Configuration" option from the "Tools" menu, and fill out the dialog (Screenshot). You can use this configuration screen to remove the "forced" state of sites too.

Additionally, if you're on a site and want to quickly add a manual entry for it, open the "Page Info" dialog (ctrl-i), and pick the permissions tab. There's an entry for forcing the site at the bottom (Screenshot).

Private Browsing

As of version 1.0.3, when in private browsing mode, no new data is saved to disk. New X-Force-TLS headers will still be honored, but not persist across sessions. Any X-Force-TLS data received before private browsing mode was entered (and is on disk) will also be honored.

Get the Add-On

Go get it from addons.mozilla.org

Get the STS-UI add-on for Firefox 4.0beta (no longer maintained)

Or you can download it from here (but not over an HTTPS channel):

Version 3.0.2 (latest) -- MD5 digest: 9192fea24c9fa40a2ed0cb7ed6c948d9-

Version 2.0 -- MD5 digest: a456fadc144efc00580765b3d6a596bf-

Header Syntax (ABNF)

Strict-Transport-Security = "Strict-Transport-Security" ":"
              "max-age" "=" delta-seconds
              [ ";" "includeSubDomains" ]
When this header is present in a HTTPS response, Force-TLS will be enforced for delta-seconds and if includeSubDomains is present, all subdomains of the site served with the header will also be forced to use HTTPS.

References

  1. ForceHTTPS by Collin Jackson and Adam Barth. Stanford Web Security group. https://crypto.stanford.edu/forcehttps/.

Copyright © 2009 Sid Stamm and Mozilla Corporation. All Rights Reserved.   Privacy Policy