Monday, August 10, 2009

force tls

A while back, Collin Jackson and Adam Barth presented this idea called ForceHTTPS. The main idea was simple, yet powerful: allow sites a way to say "in the future, ALWAYS load me via HTTPS". Why?

"Computers are increasingly mobile and, to serve them, more and more public spaces (cafes, airports, libraries, etc.) offer their customers WiFi access. When a web browser on such a network requests a resource, it is implicitly trusting the hotspot not to interfere with the communication. A malicious computer hooked up to the network could alter the traffic, however, and this can have some unpleasant consequences." [Mozilla Security Blog]

I like this force-security feature, and by suggestion from a few other interested parties, I took to implementing a slightly different version from what Jackson and Barth had done in the past. For now, I'm calling it ForceTLS, and the indicator to "always load via HTTPS" is an HTTP response header.

There's more details on my Force-TLS web site, but that's the gist of what it does. Some folks are working on a more detailed specification that hopefully will be published soon. For now, check out the add-on for Firefox, and let me know what you think!


Anonymous said...

Does this extensions toggle the network.http.pipelining.ssl pre to true? Is that something that can be put in the options of it?

Sid Stamm said...

No, my implementation of ForceTLS doesn't enable SSL pipelining. My impression is that SSL pipelining isn't stable enough to be enabled globally, since many websites will break when it's used.

That said, I think you are suggesting putting it into the header like "includesubdomains". That's not a bad idea. I'm not sure how easy that would be to enable on a site-by-site basis, but I'll look into it.

Anonymous said...

Ideally you could put this information in DNS, and then use DNSSEC.