Firefox 76 gets optional HTTPS-only mode
Mozilla plans to introduce an optional HTTPS-only mode in Firefox 76 which only allows connections to HTTPS sites.
Most Internet sites use HTTPS already to improve the security of connections. HTTPS encrypts the connection which protects against manipulation and also blocks the logging of activity.
Firefox users may soon enable an option in the web browser to allow only HTTPS connections; this sounds very similar to how HTTPS Everywhere operates. The browser extension tries to upgrade unencrypted resources to encrypted ones when enabled, and it comes with an option to block any traffic that is not encrypted.
When enabled, Firefox loads HTTPS sites and resources just like before. When HTTP sites or resources are detected, the browser attempts to upgrade these to HTTPS. The site or resource is loaded if the upgrade worked; if not, it is blocked which may result in sites becoming inaccessible or partially loaded.
Firefox users who run Firefox 76 or newer can activate the new HTTPS-Only mode in the browser in the following way:
- Load about:config in the browser's address bar.
- Confirm that you will be careful.
- Search for dom.security.https_only_mode using the search field at the top.
- Set the preference to TRUE to enable HTTPS-only connections in Firefox.
- Set the preference to FALSE to allow all connections (default).
A "Secure Connection Failed" error is displayed by Firefox is a site cannot be upgraded to HTTPS after setting the preference to TRUE in the Firefox preferences.
The new HTTPS-Only mode works like HTTPS Everywhere's strict mode as it blocks all insecure connections automatically. Firefox's built-in feature does not support a fallback mode (which HTTPS Everywhere supports).
Is this useful?
How useful is a HTTPS-only mode on today's Internet? I see some limited applications for it when combined with browser profiles. A user could enable the feature for a profile that is used exclusively for online banking or other sensitive tasks on the Internet that benefit from increased security.
While most sites do support HTTPS already, Mozilla's own stats show that about 82% of all Firefox connections use HTTPS, it is quite common that HTTP-only sites or resources are accessed on the Internet.
Most Internet users therefor may find the HTTPS-only mode disruptive as it blocks access to certain sites or resources on the Internet.
Now You: What is your take on a HTTPS-only mode? (via Sören Hentzschel)
I was just looking for this setting today. i.e. block all HTTP sites.
I am glad this setting is supported.
I use https only for months without any problems. I only have to allow http like 2-3 times a day, mostly for a download. Thus far about 80% malware/phishing links are hosted on http, so it helps a lot. Not to mention ADs/tracking and also MITM is much more difficult on https only. :)
This is a very long waited for, and a VERY welcome feature. Tip for those who still use port 80 but want to also use this feature, quickly toggle it on and off via this shortcut…
chrome://global/content/config.xhtml?filter=dom.security.https_only_mode
Personally, I block port 80 at the host firewall and very rarely allow comms on that port. Constantly adding the s after http is a real pain (but less pain then some of the addons addressing this issue).
Currently use HTTP Everywhere and I love it. This seems similar to it, and if it is then would be a great if we got a quick toggle (in case if we need to turn it off/on) from the lock icon in the URL bar.
This is brilliant. not having to rely on an addon for essential features is great.
HTTPS collection – 9 extensions:
https://addons.mozilla.org/en-US/firefox/collections/2504736/HTTPS/
There might be others which I don’t know.
The ones I listed above on March 24, 2020 at 4:50 pm are for enforcing https automatically. Some other https extensions:
Manual httphttps toggles:
https://addons.mozilla.org/firefox/addon/httptohttps/
https://addons.mozilla.org/firefox/addon/add-https/
Discover non-https links on a page:
https://addons.mozilla.org/firefox/addon/moartls/
Beyond HTTPS-Everywhere, some extensions with similar https enforcement functionality (but with some differences), ordered by number of users:
https://addons.mozilla.org/firefox/addon/smart-https-revived/
https://addons.mozilla.org/firefox/addon/httpz/
https://addons.mozilla.org/firefox/addon/https-by-default/
https://addons.mozilla.org/firefox/addon/consistent-https/
https://addons.mozilla.org/firefox/addon/https-already/
https://addons.mozilla.org/firefox/addon/httpsmanager/
https://addons.mozilla.org/firefox/addon/safeguard/
Until the CSP bug (which has made progress, but looks like it’s on hold again) has been resolved, using EASE can cause extension conflicts. As such, while this doesn’t have a whitelist, it allows extensions to function normally, making it a better option.
This could be a welcome optional feature, if it was not to be expected that this is only a first step before this become mandatory with no possible fallback, knowing how Mozilla likes doing small incremental changes without being transparent about what their longer term plans are (or even their real motivations).
https://www.ghacks.net/2020/03/19/mozilla-will-remove-ftp-support-in-the-firefox-web-browser/#comment-4457315
“Some not-so-far-away day, be sure that all the big browsers will forbid connecting to everything non https” -> this day seems closer already.
The thing is, Google has business incentives beyond user security to have https everywhere, but has no business incentives not to make the old unmaintained http-only sites impossible to access (as long as the other big browsers follow their lead, which they usually do), in spite of this being a big cost for the rest of us for often negligible security gains. We’re not talking about banking sites here, neither about forcing replacement of http with https for those sites, just plain cutting them out. Granted, this will push some sites to upgrade, but many will just be lost.
So I think that some day they will just bulldoze those countless hours of work out of existence on a whim for their bottom line. Like this happened with flash applications, for which some easy conversion system should have been worked on at least (Mozilla interrupted their efforts on that), but what mattered for Google was to take from Adobe the control of the web video DRM, and they did, now having their own proprietary black box DRM in every browser. Like this happened for classic extensions in Firefox, to be replaced with a Google standard which is now used to attack ad-blockers. Every time the security excuse was given, and it was partly true, but fundamentally not the only reason, and the counter-arguments were not given enough weight because destroying thousands of hours of the work of others (and denying users the freedom to have the last word on what they do) doesn’t cost them a dime, it only costs us.
HTTPS also proves the authenticity of domains to prevent Illegal takeovers, spoofing, etc. This is at least as important as encryption.
“this sounds very similar to how HTTPS Everywhere operates.”
On EASE mode (Encrypt All Sites Eligible), and it still allows one-time or permanent exception, like Kincaid describes.
Yaay, the engine is a slow POS, but good thing we can enforce HTTPS. Now only the kewl skriptkiddies who know how to obtain a LetsEncrypt cert can potentially trick you into whatever website they crafted.
On the bright side, you’ve got plenty of time to figure this out by the time Gecko parses it.
Telemetry data showed moz://a their users want this feature so badly? 🤔
If Mozilla enforces https with no fallback some day, it may force the remaining small sites that don’t have one yet to grab a free certificate from Let’s Encrypt. That level of centralization is not good, especially in USA.
What kind of “centralization”?
To get a certificate signed for free that was generated on your machine and not stored/received from a corporation that copied/sold it before giving it to you for ~1000$ ?
Please tell us more!
@Stv
Let’s Encrypt is a better alternative than those corporations of course, the problem is that there should be more like them, but independent from them.
The problem with the current CA system is that there are too many Authorities out there.
All Authorities were able sign certs to any website until CAA flag did not come (happend with google and many accounts were “hacked” because of it).
The next step should be that Mozilla removes/changes the secure lock to a warning page to all https sites that did not configured the CAA flag correctly.
Yes, that “All Authorities were able sign certs to any website” is a problem, not in itself that there are too many authorities to choose from.
@Yuliya
Firefox might be slow if youre on linux or got a very old hardware. but i dont notice any difference between servo and chromium on my win10pc.
(there are some sites that works better with chromium but theyre rare to find and sites that i dont use daily so its not a problem for me)
besides that. as a power user speed is not the only thing that decides my favourite browser.
on firefox with userchrome.css and about:config you can almost change anything. ((e.g. ghacks-user.js)
you can turn the browser your own personal software. make it behave as you wish. make it look as you wish. something completely different from Default installation.
on chrome/chromium you cant do much really. youre heavily restricted. the only thing you can do is getting the source code from chromium depot and make your own build with your own patches.
btw im not a mozilla shill. i tried to leave firefox before. but simply couldnt find a better browser than Firefox for my needs.
my second best is Naver’s Whale Browser. its chromium based. if youre on a chromium based browser give it a try. it has nice customization features you can change at settings page.
You must be new here.
Oh hell, Yuliya is talking nonsense again… Please ban this troll from Ghacks finally!
HTTPS-only mode requires imperatively a whitelist feature. If some sites accept both http and https access, hence accept a sweet kick to open via https, some others are still http-only, i.e. practically all radio streams, not to mention several others, not to mention that one site only, if it’s a place you like and visit regularly, if available only via http and embraces no confidential data, is itself the reason for refusing https-only.
I use a dedicated “https-enforcement” Firefox extension named HTTPZ which tries to open http sites with https and returns to http if secure connection fails, or if the user whitelists the site : that is smart while HTTPS-only, with no exception management, is basically, IMO, idiot.
@Tom Hawack: so, how does HTTPZ differ from HTTPS Everywhere?
I like this idea, but it really needs a quick bypass for sites you are willing to load with HTTP. Not a huge scary warning, just a simple “Site does not support encrypted connections.”, with a “Proceed” button. That’s all it would take.
I don’t know what it’s going to take to get sites like http://www.faqs.org/ to upgrade to HTTPS.
This is pretty dumb, if you think about it. Some websites still use HTTP, they won’t be displayed at all using this mode. What HTTPS Everywhere does is using the HTTPS version based on a set of rules the extension regularly downloads. This way you always get the secure connection while not preventing HTTP websites from being displayed, if an HTTPS version doesn’t exist.
Just my 2 cents.
@Iron Heart, HTTPS Everywhere only works on websites on the extension’s whitelist, not on every website.
Firefox’s solution works on every website (according to the ghack article), & you save physical memory by eliminating the HTTPS Everywhere web extension.
For websites still using HTTP, you can use your backup browser (probably Chrome).
I’m optimistic about HTTPS-only mode & I can’t wait to try it.
One less web extension is always welcome.
HTTPS by Default is better, it tries HTTPS first and if it errors or seems empty it will then go to HTTP.
@Wolfie0827: the article clearly states: