Firefox 24.1.1 HSTS network.stricttransportsecurity.preloadlist
 URLs

Since I haven’t seen it posted anywhere else, I thought some might find it useful to post the list of embedded URLs Firefox 24.1.1 includes for HSTS.  I found these URLs on my own machine by following these instructions (for OSX users):
1. Ideally with Firefox closed, open /Applications/Firefox.app/Contents/MacOS/XUL in SynalyzeIt or your favorite hex editor
2. Apply the encoding SynalyzeIt or your favorite hex editor proposes (ISO_8859-1:1987 in my case)
3. Search for network.stricttransportsecurity.preloadlist

The list of URLs that immediately follows after the text “https:// sts/use sts/subd includesubdomains test.currentTimeOffsetSeconds”:
aladdinschools.appspot.com
alpha.irccloud.com
api.intercom.io
app.recurly.com
arivo.com.br
bank.simple.com
bassh.net
bccx.com
blog.cyveillance.com
blog.linode.com
blog.torproject.org
bugzilla.mozilla.org
business.medbank.com.mt
carezone.com
check.torproject.org
chromiumcodereview.appspot.com
cloudns.com.au
cloudsecurityalliance.org
codereview.appspot.com
conformal.com
controlcenter.gigahost.dk
crate.io
crm.onlime.ch
crypto.cat
cyphertite.com
developer.mydigipass.com
dist.torproject.org
dm.lookout.com
dm.mylookout.com
download.jitsi.org
ebanking.indovinabank.com.vn
entropia.de
espra.com
factor.cc
forum.linode.com
forum.quantifiedself.com
grc.com
haste.ch
howrandom.org
id.mayfirst.org
inertianetworks.com
intercom.io
itriskltd.com
keyerror.com
lastpass.com
launchkey.com
library.linode.com
linode.com
linx.net
lockify.com
login.persona.org
login.sapo.pt
logotype.se
lolicore.ch
lookout.com
luneta.nearbuysystems.com
makeyourlaws.org
manager.linode.com
mattmccutchen.net
mediacru.sh
mega.co.nz
members.mayfirst.org
members.nearlyfreespeech.net
mudcrab.us
my.onlime.ch
mylookout.com
neg9.org
oplop.appspot.com
p.linode.com
passwd.io
paste.linode.com
pastebin.linode.com
pay.gigahost.dk
paymill.com
paymill.de
piratenlogin.de
pixi.me
rapidresearch.me
riseup.net
roundcube.mayfirst.org
sandbox.mydigipass.com
securityheaders.com
shodan.io
silentcircle.com
simple.com
squareup.com
stocktrade.de
stripe.com
support.mayfirst.org
surkatty.org
therapynotes.com
twitter.com
ubertt.org
webmail.gigahost.dk
webmail.mayfirst.org
webmail.onlime.ch
wiki.python.org
wiz.biz
writeapp.me
http://www.apollo-auto.com
http://www.braintreepayments.com
http://www.cueup.com
http://www.cyveillance.com
http://www.entropia.de
http://www.grc.com
http://www.intercom.io
http://www.irccloud.com
http://www.linode.com
http://www.lookout.com
http://www.makeyourlaws.org
http://www.mydigipass.com
http://www.mylookout.com
http://www.noisebridge.net
http://www.simple.com
http://www.therapynotes.com
http://www.torproject.org
http://www.twitter.com

An eclectic mix, no? Among the interesting omissions from this list that might surprise some users:
Apple
Google
Facebook
LinkedIn
CDNs like Akamai, AWS

Standard

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s