InformAction Forums

Have you seen this, Giorgio? I found out about it on the Mozilla security blog. Would it conflict with NoScript HTTPS forcing at all? Should I install it?

From Force-TLS extension for Firefox:
Force-TLS allows web sites to tell Firefox that they should be served via HTTPS in the future; this helps secure you from accidentally negotiating an insecure session with certain sites.
More about this add-on

ForceTLS is an adaptation of the ForceHTTPS protocol by Collin Jackson and Adam Barth, which supports a simple HTTP header in forcing automatic connections to HTTPS connections in the future. Here's how it works:

1. A site x.com served via HTTPS provides a header X-Force-TLS in its response. The header contains a max-age value (how long to remember the forced TLS) and optionally an includeSubDomains flag.
2. The browser recieves this header and adds it to a Force TLS database.
3. In the future, any requests to x.com are modified to be via HTTPS if they are attempted through HTTP before the request hits the network.
4. If any subdomains *.x.com are requested via HTTP and the includeSubDomains flag was set, they are also forced to be HTTPS.

Use this add-on to extend Firefox so that it will listen to X-Force-TLS suggestions from web servers.

No, no conflict. It's the server-side opt-in version of our client-side HTTPS enforcer.

Thank you for the feedback. I installed it now.

Alan, just a small heads up. When you install Force-TLS and you click on any link that opens a function into another page, it will give you a blank tab. For example, if you are in the moderator control panel here and under banning tab you click on find member, it will open up a blank tab. I also noticed this with a few other sites like badoo and facebook as well. Not sure if its an inherent problem with the addon itself, or a conflict while installed with something else, but it happens, so keep that in mind. Good luck.

Thanks for the warning. I think I'll wait until it's more mature before I install it. I'm not interested in debugging it.

You are welcome, anytime I can help minimize the headache, I try. I have been doing what I can to figure out why without stepping on the developer's toes and it seems to be how the header is being passed. If its done on a strictly http site like this one with a previous header response to the negative, the new one seems to be ignored by the server and hence the blank response. I am not sure what mechanism can mitigate this exactly but if I figure it out, I will pass it along to the developer or maybe someone smarter has already figured it out.