Here’s the announcement from the Mozilla Security Blog: <a href="http://blog.mozilla.com/security/2009/07/27/locking-up-the-valuables-opt-in-security-with-forcetls/" rel="nofollow">http://blog.mozilla.com/security/2009/07/27/locking-up-the-v...</a><p>I wonder how the initial request could be made secure. With the current proposal, if you happen to work over a compromised network connection the first time you open a site, the site cannot force your browser to connect over HTTPS and the attacker wins.<p>Daniel Veditz commented on this concern:<p>“...[W]elcome to the bootstrapping problem. We’re making the assumption that the sites people most want to protect from eavesdropping and tampering are those for which they’ve set up accounts. That means they connected correctly at least once, and this header could be set at that time. In addition, careful users could always add ‘<a href="https://’" rel="nofollow">https://’</a> themselves the first time and avoid that initial redirect.” (<a href="http://blog.mozilla.com/security/2009/07/27/locking-up-the-valuables-opt-in-security-with-forcetls/#comment-106091" rel="nofollow">http://blog.mozilla.com/security/2009/07/27/locking-up-the-v...</a>)
I'm not seeing how this is a big improvement over an HTTP redirect (via a Location header) to the HTTPS site -- beyond a single connection for each session, to redirect to the HTTPS site. Nor any improvement over RFC2817 HTTP Upgrade to TLS, which has the advantage of allowing virtual hosting of multiple secure sites on a single port on a single IP address.
The issue is that people don't always check to see if a site is secure before putting in their login credentials and so if someone does a main-in-the-middle on their bank website, they might not notice that it isn't HTTPS.<p>I'd suggest that there's another good defense (not that I think this proposal is bad). Right now, everyone turns off that "warn me before sending insecure data over the internet" warning because it would be annoying as all hell. Every form you tried to submit would give you a warning. First, I'd change it to only warn about sending a password field over an insecure connection. That's really what most people are worried about. Second, because we all have non SSL sites with passwords, allow for an exceptions list - continue warning me about sending insecure passwords, except for this site which I realize is insecure, but don't care.<p>That way the browser is warning people about insecurely sending the information they want being sent secure. It provides them with a convenient exceptions list for places that don't use SSL and the user deems is fine for that exception.
Mozilla's propensity for adding yet another database to your user profile with each new feature they add is really starting to grate on me.<p>Though now that they're planning to keep knownhosts-like data around for https, perhaps they could be persuaded to use a more SSH-style system for self-signed certificates instead of the intentionally user-hostile asshattery they implemented in FF3.