Force-TLS extension for Firefox

General discussion about the NoScript extension for Firefox
Post Reply
Alan Baxter
Ambassador
Posts: 1586
Joined: Fri Mar 20, 2009 4:47 am
Location: Colorado, USA

Force-TLS extension for Firefox

Post by Alan Baxter » Tue Jul 28, 2009 4:12 am

Have you seen this, Giorgio? I found out about it on the Mozilla security blog. Would it conflict with NoScript HTTPS forcing at all? Should I install it?

From Force-TLS extension for Firefox:
Force-TLS allows web sites to tell Firefox that they should be served via HTTPS in the future; this helps secure you from accidentally negotiating an insecure session with certain sites.
More about this add-on

ForceTLS is an adaptation of the ForceHTTPS protocol by Collin Jackson and Adam Barth, which supports a simple HTTP header in forcing automatic connections to HTTPS connections in the future. Here's how it works:

1. A site x.com served via HTTPS provides a header X-Force-TLS in its response. The header contains a max-age value (how long to remember the forced TLS) and optionally an includeSubDomains flag.
2. The browser recieves this header and adds it to a Force TLS database.
3. In the future, any requests to x.com are modified to be via HTTPS if they are attempted through HTTP before the request hits the network.
4. If any subdomains *.x.com are requested via HTTP and the includeSubDomains flag was set, they are also forced to be HTTPS.

Use this add-on to extend Firefox so that it will listen to X-Force-TLS suggestions from web servers.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1

User avatar
Giorgio Maone
Site Admin
Posts: 8790
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Force-TLS extension for Firefox

Post by Giorgio Maone » Tue Jul 28, 2009 7:31 am

No, no conflict. It's the server-side opt-in version of our client-side HTTPS enforcer.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1 (.NET CLR 3.5.30729)

Alan Baxter
Ambassador
Posts: 1586
Joined: Fri Mar 20, 2009 4:47 am
Location: Colorado, USA

Re: Force-TLS extension for Firefox

Post by Alan Baxter » Tue Jul 28, 2009 3:07 pm

Thank you for the feedback. I installed it now.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1

User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3339
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: Force-TLS extension for Firefox

Post by GµårÐïåñ » Tue Jul 28, 2009 9:49 pm

Alan, just a small heads up. When you install Force-TLS and you click on any link that opens a function into another page, it will give you a blank tab. For example, if you are in the moderator control panel here and under banning tab you click on find member, it will open up a blank tab. I also noticed this with a few other sites like badoo and facebook as well. Not sure if its an inherent problem with the addon itself, or a conflict while installed with something else, but it happens, so keep that in mind. Good luck.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1

Alan Baxter
Ambassador
Posts: 1586
Joined: Fri Mar 20, 2009 4:47 am
Location: Colorado, USA

Re: Force-TLS extension for Firefox

Post by Alan Baxter » Wed Jul 29, 2009 4:10 am

Thanks for the warning. I think I'll wait until it's more mature before I install it. I'm not interested in debugging it.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1

User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3339
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: Force-TLS extension for Firefox

Post by GµårÐïåñ » Wed Jul 29, 2009 5:30 am

You are welcome, anytime I can help minimize the headache, I try. I have been doing what I can to figure out why without stepping on the developer's toes and it seems to be how the header is being passed. If its done on a strictly http site like this one with a previous header response to the negative, the new one seems to be ignored by the server and hence the blank response. I am not sure what mechanism can mitigate this exactly but if I figure it out, I will pass it along to the developer or maybe someone smarter has already figured it out.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1

Post Reply