"While HSTS may not be the sexiest security feature for the average Joe, I was thrilled to see it implemented in the world's second most popular browser," said Chester Wisniewski, a senior security advisor at Sophos Canada, in a blog post.
Already supported in Google Chrome since September 2009, HSTS is an Internet Engineering Task Force draft specification, first published in 2009, for better securing HTTPS pages. From a user's standpoint, what's most noticeable is that it turns insecure links into secure ones, and blocks access to Web sites that lack the right types of digital certificates.
Using HSTS solves a persistent problem with secure Web sites, which is not knowing when a site should be serving secure pages. As a result, an attacker could strip out the SSL from an SSL-secured page, via a man-in-the-middle attack, thus downgrading the page to regular HTTP. As a result, the attacker could eavesdrop on communications, and a user would likely never notice.
But by using HSTS, Web sites can specify -- after the first time a user visits the site -- how the user's browser should subsequently handle the site's HTTPS pages, as well as how frequently it should update the site's digital certificate. As a result, "online banking sites, financial sites or even Facebook and Gmail now have the option to not only enforce HTTPS for users of compliant browsers, but also limit the ability for users to harm themselves through a lack of understanding of technical warnings," said Wisniewski.
Beyond HSTS, other security and privacy features in Firefox 4 include a Do Not Track flag which, if respected by advertisers, could be used to opt out of behavioral profiling. Firefox 4 also includes integration with desktop antivirus for scanning downloads, plus anti-phising and anti-malware tools, a private browsing mode, and content security policies aimed at blocking cross-site scripting attacks.