Firefox 92 is available. One of the changes is “More secure connections: Firefox can now automatically upgrade to HTTPS using HTTPS RR as Alt-Svc headers.” Many websites mention this change but don’t add any details.
Always stay in the loop!
Subscribe to our RSS/Atom feed.
“Service binding and parameter specification via the DNS” is a draft that introduces two additional DNS resource records, SVCB (Service Binding) and HTTPS (HTTPS Binding).
Service Binding is an upcoming and general DNS resource record (neither HTTP nor security-specific), allowing clients to retrieve more information about a service by resolving a single DNS resource record.
HTTPS Binding is a security-specific variant of SVCB for HTTPS and HTTP. Some use cases for HTTPS Binding (as mentioned in the draft) are:
- Provide an HSTS-like indication signaling that the HTTPS scheme should be used instead of HTTP for this request.
- Connect directly to HTTP/3 (QUIC transport) alternative endpoints.
- Obtain the Encrypted Client Hello (ECH) keys associated with an alternative endpoint.
The draft describes the first use case (HSTS-like indication) in its section 8.5: “By publishing a usable HTTPS RR, the server operator indicates that all useful HTTP resources on that origin are reachable over HTTPS, similar to HTTP Strict Transport Security.”
Firefox 92 implements this use case. HTTP Strict Transport Security (HSTS), as described in RFC 6797, is an optional HTTP response header. It tells clients to connect via HTTPS instead of HTTP in the future.
The “HTTPS” resource record may result in “more secure connections” as it tells clients to connect via HTTPS, but additionally adds a mechanism to retrieve keys for the Encrypted Client Hello (ECH) for TLS. The implementations might change as these mechanisms rely on several drafts at the moment.
Emily Stark’s blog post provides insight into the subtle differences between HSTS and HTTPS Binding: Strict Transport Security vs. HTTPS Resource Records: the showdownexternal link
- draft-ietf-dnsop-svcb-https-07 – Service binding and parameter specification via the DNS (DNS SVCB and HTTPS RRs)external link
- GitHub repository – SVCB, HTTPSSVC, and ALTSVC DNS recordsexternal link
- RFC 6797 – HTTP Strict Transport Security (HSTS)external link