November 16, 2010 at 21:42HSTS will be implemented in Firefox and Google Chrome
In the near future, the HTTP Strict Transport Security (HSTS) standard will be supported by Firefox and Google Chrome.
This specification provides an absolutely guaranteed way of client-server communication only through a secure protocol.
Currently, while this standard is not supported, when connecting to a server, an HTTP connection is established by default, and only then the browser switches to HTTPS, if possible. Such a mechanism leaves room for a man-in-the-middle attack. In turn, the HSTS protocol is designed to close this vulnerability. With HSTS support, site creators can put the following command on the server
The max-age parameter sets the time in seconds to force the use of an HTTPS session.
And then all HTTP requests will be forcibly redirected to HTTPS.
Firefox developers have announced that their support will be implemented in the next version.
This specification provides an absolutely guaranteed way of client-server communication only through a secure protocol.
Currently, while this standard is not supported, when connecting to a server, an HTTP connection is established by default, and only then the browser switches to HTTPS, if possible. Such a mechanism leaves room for a man-in-the-middle attack. In turn, the HSTS protocol is designed to close this vulnerability. With HSTS support, site creators can put the following command on the server
Strict-Transport-Security: max-age = 15768000
The max-age parameter sets the time in seconds to force the use of an HTTPS session.
And then all HTTP requests will be forcibly redirected to HTTPS.
Firefox developers have announced that their support will be implemented in the next version.