Tuesday, October 26, 2010

Managing HSTS Data

I blogged about HTTP Strict-Transport-Security before and how it's all new and shiny in Firefox 4. With all the happy firesheep attacks on the horizon, it's made it even more important that sites start using HSTS.

In case you don't want to wait for your favorite sites to start deploying strict-transport-security, here's a way for you to enable it yourself. I whipped up a quick add-on proof of concept that lets you add and remove HSTS data.

There are two ways to manage HSTS data for sites using this add-on:
  1. Navigate to an HTTPS page, open the page info dialog, and tick the "Always access content from this site securely" box
  2. Choose the "Manage Strict-Transport-Security..." item from the Tools menu, and enter the host names for your favorite sites there.

Let me know what you think!

UPDATE: Instead of maintaining the add-on in parallel with Force-TLS, I've decided to adapt Force-TLS to use the HSTS bits built into Firefox 4 and show you the same UI. Instead of the STS-UI add-on, try installing Force-TLS!

5 comments:

dd said...

Side note: addons.mozilla.org is HTTP only for this, among other reasons.

Security Retentive said...

Sid - this rocks. Thanks

=JeffH said...

Excellent addition to FF, thanks! fyi, I've posted a write-up on Firesheep and HSTS (HTTP Strict Transport Security), here: http://identitymeme.org/archives/2010/10/29/firesheep-and-hsts-http-strict-transport-security/

Anonymous said...

The add-on has been removed from AMO (probably because of the new review policy). Can you please re-submit it?

Sid Stamm said...

@Anonymous:

Instead of maintaining the add-on in parallel with Force-TLS, I've decided to adapt Force-TLS to use the HSTS bits built into Firefox 4.

So if you want the UI back (like in STS-UI), install the Force-TLS add-on!