ForceTLS is an adaptation of the ForceHTTPS protocol by Collin Jackson and Adam Barth, which supports a simple HTTP header in forcing automatic connections to HTTPS connections in the future. This helps prevent cookie theft and other man-in-the-middle attacks when you're using an insecure network. Here's how it works:
The add-on more or less works autonomously in the background, so you shouldn't have to do much to help it work. If you want, you can enable debugging and watch status messages pop up in the Javascript error console. You can also add sites to the ForceTLS database yourself, and force HTTPS requests for sites that may not even know ForceTLS exists.
To enable debugging, navigate to about:config and set the preference extensions.forcetls@sid.stamm.debug to "true". Watch errors show up in STDOUT or in the Javascript error console.
The UI provided by version 2.0 and newer contains an "add new" feature that makes adding sites manually really simple. Just choose the "ForceTLS Configuration" option from the "Tools" menu, and fill out the dialog (Screenshot). You can use this configuration screen to remove the "forced" state of sites too.
Additionally, if you're on a site and want to quickly add a manual entry for it, open the "Page Info" dialog (ctrl-i), and pick the permissions tab. There's an entry for forcing the site at the bottom (Screenshot).
Go get it from addons.mozilla.org
Get the STS-UI add-on for Firefox 4.0beta (no longer maintained)
Or you can download it from here (but not over an HTTPS channel):
Version 3.0.2 (latest) -- MD5 digest: 9192fea24c9fa40a2ed0cb7ed6c948d9-
Version 2.0 -- MD5 digest: a456fadc144efc00580765b3d6a596bf-
Strict-Transport-Security = "Strict-Transport-Security" ":" "max-age" "=" delta-seconds [ ";" "includeSubDomains" ]When this header is present in a HTTPS response, Force-TLS will be enforced for delta-seconds and if includeSubDomains is present, all subdomains of the site served with the header will also be forced to use HTTPS.