Mozilla introduced a pre-loaded list of domains for Firefox that only can be connected to securely in order to help protect the privacy and security of users.
To force secure connections between the browser and a server, Mozilla uses HSTS (
HTTP Strict Transport Security), a mechanism used by servers to indicate that the connecting browser must use a secure connection,
wrote Mozilla's David Keeler in a blog post.
When the browser connects to an HSTS server for the first time though, the browser does not know if it should use a secure connection because it never received a HSTS header from that host. "Consequently, an active network attacker could prevent the browser from ever connecting securely (and even worse, the user may never realize something is amiss)", Keeler wrote, adding that setting up the connection that way still leaves it vulnerable to attacks.
