ForceTLS Implementation
Sid Stamm (sid at mozilla dot com)

ForceTLS is an adaptation of the ForceHTTPS protocol by Collin Jackson and Adam Barth, which supports a simple HTTP header in forcing automatic connections to HTTPS connections in the future. Here's how it works:

  1. A site x.com served via HTTPS provides a header X-Force-TLS in its response. The header contains a max-age value (how long to remember the forced TLS) and optionally an includeSubDomains flag.
  2. The browser recieves this header and adds it to a Force TLS database.
  3. In the future, any requests to x.com are modified to be via HTTPS if they are attempted through HTTP before the request hits the network.
  4. If any subdomains *.x.com are requested via HTTP and the includeSubDomains flag was set, they are also forced to be HTTPS.

Header Syntax (ABNF)

X-Force-TLS = "X-Force-TLS" ":" "max-age" "=" delta-seconds
              [ ";" "includeSubDomains" ]
When this header is present in a HTTPS response, Force-TLS will be enforced for delta-seconds and if includeSubDomains is present, all subdomains of the site served with the header will also be forced to use HTTPS.

How to use the add-on

The add-on more or less works autonomously in the background, so you shouldn't have to do much to help it work. If you want, you can enable debugging and watch status messages pop up in the Javascript error console. You can also add sites to the ForceTLS database yourself, and force HTTPS requests for sites that may not even know ForceTLS exists.

Enabling Debugging

To enable debugging, navigate to about:config and set the preference extensions.forcetls@sid.stamm.debug to "true". Watch errors show up in STDOUT or in the Javascript error console.

Manually adding sites

Update: The new UI provided by version 2.0 contains an "add new" feature that makes adding sites manually really simple. Just choose the "ForceTLS Configuration" option from the "Tools" menu, and fill out the dialog (Screenshot). You can use this configuration screen to remove the "forced" state of sites too.

Additionally, if you're on a site and want to quickly add a manual entry for it, open the "Page Info" dialog (ctrl-i), and pick the permissions tab. There's an entry for forcing the site at the bottom (Screenshot).

To manually add a site to the ForceTLS database, add a new boolean preference in about:config with the key name extensions.forcetls@sid.stamm.permanant.rule.[hostname]. Set its value to "true." If you would like to force HTTPS for all of that site's subdomains, also add the boolean preference extensions.forcetls@sid.stamm.permanant.subd.[hostname] with the value "true".

Example: I want to force TLS connections for all *.mozilla.com domains. I add these two preferences (both with values "true") to about:config:

If I only wanted to force "mozilla.com", I would either remove the second "subd" pref, or set its value to "false". An example hand-entered rule for "*.paypal.com" has been included with the add-on.

Private Browsing

As of version 1.0.3, when in private browsing mode, no new data is saved to disk. New X-Force-TLS headers will still be honored, but not persist across sessions. Any X-Force-TLS data received before private browsing mode was entered (and is on disk) will also be honored.

Get the Add-On

Go get it from addons.mozilla.org

Or you can download it from here (but not over an HTTPS channel):

Version 2.0 (latest) -- MD5 digest: a456fadc144efc00580765b3d6a596bf-

Old versions:

Version 1.0.3 -- MD5 digest: 97d583093398e227637da34ffef2ea1f

Version 1.0.2 -- MD5 digest: a877e1ee1955cb68041418afc71539da

Version 1.0.1 -- MD5 digest: c9738f29168bfa70dd9288032c268bc6

Version 1.0 -- MD5 digest: ff97d57293df7d9634eb65732f707cb8

Version 0.1 -- MD5 digest: 0e0fa3397312bc2cec3f399e73c0f931

References

  1. ForceHTTPS by Collin Jackson and Adam Barth. Stanford Web Security group. https://crypto.stanford.edu/forcehttps/.

Copyright © 2009 Sid Stamm and Mozilla Corporation. All Rights Reserved.