We're on Firefox's internal HSTS List Now
Posted by Write.app on 09/25/2013
Remember last Winter when we made a big deal about being on Chrome's internal HSTS list?? Well guess what? Write.app is now on the Firefox internal HSTS list.
Why is this a big deal?
Being on the internal HSTS list means that no matter what, you will always be connected to Write.app using a secure connection (SSL) even if you've never visited the site before. So congrats, Chrome and Firefox users. You are now safe from SSL hijacking attacks.
Just to remind everyone what HSTS is and why it's important... whenever you connect to an SSL secured site, unless you specifically type
https:// in your browser URL bar before the
writeapp.me part, you'll be connected to the non-SSL version of the site first which will then redirect you to the SSL secured version. Normally this isn't a big deal and you're still totally secure but there is a chance that an attacker can intercept your connection before the redirect to the secure version of the site happens and start reading everything you send back and forth from Write.app. Not cool. What HSTS does is tell your browser "from now on, no matter what your user types in your address bar, always connect to me using a secure HTTPS connection even if the user specifically tries not to". This is a step in the right direction but what if you've never visited Write.app before? During your very first visit we'll need to tell your browser that we have HSTS turned on. This leaves the door open for one last man-in-the-middle attack. Now, chances are slim that of all the times you visit a website this one particular time will be the one that your connection gets intercepted but it is possible. If you're using a browser that has us in its HSTS list (Chrome and Firefox) then all of the attacks I mentioned above can't happen.
Now, if only Internet Explorer had an HSTS list... we'd be totally covered.