Firefox 80: HTTPS-only Mode in Settings

Martin Brinkmann
Jul 11, 2020
Updated • Jul 11, 2020
Firefox
|
41

Mozilla added an optional HTTPS-only mode to Firefox 76 Nightly back in March 2020. The organization's engineers have now added the mode to the settings of Firefox 80 Nightly, and it is likely that users of other Firefox channel versions, e.g. Firefox Stable, will be able to configure the mode once their version of the browser is updated to Firefox 80.

HTTPS-Only Mode is designed to enforce HTTPS on sites. It works similarly to HTTPS Everywhere and other HTTPS upgrade extensions for browsers in that it attempts to upgrade HTTP connections, that are not secure, to HTTPS connections, which are.

The core difference between the native HTTPS-Only Mode and extensions is that Mozilla's implementation attempts to upgrade every HTTP connection to HTTPS.

HTTPS Everywhere uses a list for the upgrades that rewrite connections on sites that are opened in the browser.

firefox 80 https only mode error

Firefox's HTTPS-Only Mode applies the upgrade to all HTTP connections, even if an HTTPS option is not available; this may lead to loading errors that can range from sites not loading at all to content on the site becoming unavailable.

Firefox informs the user if the entire site could not be loaded because it does not support HTTPS. The same is not true for elements that may not be loaded on a site, though. Users may select to go forward with the loading of the site if it fails to load entirely.

Up until now, Nightly users had to set the value of the preference dom.security.https_only_mode to TRUE to enable the feature in the browser. A value of FALSE, the default, disables the HTTP to HTTPS upgrade enforcement in the browser.

firefox 80 https-only mode

Starting in Firefox 80, that is no longer necessary but still available. Mozilla added options to control the browser's HTTPS-Only Mode in the options.

  1. Load about:preferences#privacy in the browser's address bar and scroll all the way down to the HTTPS-Only Mode group.
  2. The feature is set to "Don't enable HTTPS-Only Mode" by default.
    • Switch it to Enable HTTPS-Only Mode in all windows to enable it everywhere, or
    • Switch it to Enable HTTPS-Only Mode in private windows only, to only enable it for private browsing.
  3. A restart is not required.

When you enable the option, Firefox will rewrite HTTP links to HTTPS automatically.

Closing Words

When Mozilla launched the HTTP upgrade mode in Firefox 76, I concluded that it could be useful in some situations, e.g. when using profiles in Firefox and using one of the profiles for secure activities such as online banking.

The downside to enabling the mode is that it may break functionality on some sites, and some sites entirely. Since there is no simply "turn off mode on this page" option, it is quite cumbersome to deal with the issue when it is encountered.

I find it puzzling that the option is added to the browser's preferences, considering that Mozilla's stance in the past was to limit user exposure to settings that could potentially impact the accessibility of sites.

I think it would be better if Mozilla would integrate HTTPS Everywhere in the browser, maybe even with an option to enforce HTTPS everywhere. The extension is already included in the Tor Browser by default.

Now You: Would you use the HTTPS-Only Mode in your browser? (via Techdows)

Summary
Firefox 80: HTTPS-only Mode in Settings
Article Name
Firefox 80: HTTPS-only Mode in Settings
Description
Mozilla added a new preference to Firefox 80 Nightly that provides users of the browser with options to enable the HTTPS-Only mode in the browser.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. Some1 said on August 30, 2020 at 2:49 pm
    Reply

    It’s hidden in Firefox 80 stable since it’s not ready for release, you can reveal it by going to about:config and enabling browser.preferences.exposeHTTPSOnly.

  2. some1 said on August 30, 2020 at 12:04 pm
    Reply

    I just updated to stable Firefox 80 and don’t have “HTTPS-Only” in setting. was it removed from final release?

  3. ULBoom said on July 12, 2020 at 3:27 pm
    Reply

    I guess if it works for you. Seems like this shouldn’t be at the top of anyone’s priority list.

    Occasionally, I need to visit or download something from a http site I trust. There still are a lot of them but they should go away.

    What if I try to connect to a device in our Intranet using http?

    It would be nice if https DNS was figured out, that’s a mess, particularly how Chromia and that Chredge Thing implement DNS.

    It’s all Mozilla’s fault! :)

  4. natlec said on July 12, 2020 at 2:37 pm
    Reply

    That’s an unfortunate truth, Chrome has the backing of a large corporation with many talented and well-paid engineers who can stamp-out security issues at moments notice (most of the time). For Firefox, the smaller dedicated team of devs means deprioritising some tasks over others in order to sustain the core functionality; unfortunately, this also means less time is available for proactively addressing security hardening.

    In defense of the Firefox devs, they at least seem aware of these long-standing security issues and are at least attempting to address them with the introduction of Rust & Servo, for example.

  5. VioletMoon said on July 12, 2020 at 5:06 am
    Reply

    An “http” site in 2020? The Internet hasn’t come far in 30 years.

    Make sure to use “https” for anything and everything; boycott any site unwilling to purchase a certificate and run at least a modern version of a site.

  6. 12bytes.org said on July 11, 2020 at 5:12 pm
    Reply

    > I think it would be better if Mozilla would integrate HTTPS Everywhere in the browser …

    i disagree strongly – i think HTTPS Everywhere is using a cave-man approach by relying on curated lists which bloat the size of the extension, possibly leading to performance issues, and which are never entirely accurate

    as others have mentioned, the method used by HTTPZ is superior IMO – no lists, no guessing – it simply attempts to upgrade all non-secure connections and gets out of the way and can, optionally, fall-back to insecure at the users discretion

  7. Stv said on July 11, 2020 at 4:27 pm
    Reply

    The right move in the right dirction again after DoH. I hope some “must have functions” will come like whitelisting and block all mixed contents.

  8. pat said on July 11, 2020 at 3:25 pm
    Reply

    If privacy.firstparty.isolate=true, it doesn’t work!

    If privacy.firstparty.isolate=false, that’s ok, I can access the website in http after warning page and set permission to allow http only on this site.

    ex: http ://www.korgforums .com/forum/phpBB2/viewforum.php?f=80

  9. Mo said on July 11, 2020 at 1:07 pm
    Reply

    I hope we can set exceptions. Currently I use HTTPS Everywhere and love it. But I have exception for lxer.com which is not https. I go there occasional and not much a deal breaker if I can’t to get it with this new option, but would be nice to have exceptions.

  10. 180 said on July 11, 2020 at 1:04 pm
    Reply

    The best new feauture of Firefox 80 for me is the ability to import and export my passwords from Firefox Lockwise.
    Now I can easily backup everything from my installation locally without having to use password managers or accounts.

  11. Borgy said on July 11, 2020 at 12:15 pm
    Reply

    Personally, I prefer SmartHTTS.
    If you want, there is an EFF list on filterlists(.)com.

  12. Kubrick said on July 11, 2020 at 10:43 am
    Reply

    In the future https will no doubt be the standard for all websites and http will be defunct.

    So this functionality may be shortlived.

  13. Yuliya said on July 11, 2020 at 10:41 am
    Reply

    Ah yes, nothing like that false sense of security an extra s gives to certain people.
    I personally would not do anything bank or payment related within firefox. First there are high chances it would fail to load the page properly, and second I do not consider firefox a secure browser. I would rather use Chrome in its default configuration on a clean profile.

    1. Fauszt said on July 12, 2020 at 12:23 pm
      Reply

      Is the new edge as safe as chrome? Or would you prefer chrome for security reasons?

      1. Iron Heart said on July 12, 2020 at 4:35 pm
        Reply

        @Fauszt

        All Chromium-based browsers (provided they are updated regularly) have the same security level at their core. Chrome vs. Edge, there is no difference in that area.

        Chromium-based browser differ regarding the level of privacy they provide. Ungoogled Chromium, Brave, and to some extent Vivaldi, are better than Chrome / Edge / Opera in that regard.

      2. Yuliya said on July 12, 2020 at 4:20 pm
        Reply

        Fauszt, I personally use Chromium, I never used Edge. Edge’s security is probably on par with Chrome’s and other Chromium based web browsers.

    2. Sebas said on July 11, 2020 at 6:16 pm
      Reply

      @Yulia that’s right, Chrome has a much more robust sandbox as Firefox. You had that browsers hacker event for some years, where Firefox was always the first of second one to be hacked, whereas Google Chrome was always much harder to be hacked.

      1. Kubrick said on July 13, 2020 at 8:51 pm
        Reply

        @sebas.
        those hacking contests are absolutely pointless and useless and are not relevant to daily usage.

        it does not prove chromium/chrome is more secure and in fact in terms of certificate revocation etc chrome is rubbish.

        Firefox is a better browser in my opinion and can be customised better than shitty chrome.

      2. Yuliya said on July 11, 2020 at 6:42 pm
        Reply

        >You had that browsers hacker event for some years
        It is what my statement is based on. It is always the browser with the most security flaws, whether mozillians like it or not; such are the facts. In 2016 mozilla did not take part into pwn2own due to firefox’s security being subpar – they’d just lose money over security flaws they already knew existed.

        https://it.slashdot.org/story/16/02/12/034206/pwn2own-2016-wont-attack-firefox-because-its-too-easy

      3. linuxfan said on July 12, 2020 at 7:10 pm
        Reply

        > n 2016 mozilla did not take part into pwn2own due to firefox’s security being subpar – they’d just lose money over security flaws they already knew existed.

        > https://it.slashdot.org/story/16/02/12/034206/pwn2own-2016-wont-attack-firefox-because-its-too-easy

        That’s a perfect example how Firefox haters are presenting fake arguments. That story was from 2016 – i.e. , *before* Firefox switched to its new architecture. This new architecture (based upon Chrome’s) was the prerequisite for making Firefox more secure – but exactly this change with all its related necessary adjustments (like moving away from the old XUL extensions) is permanently criticized by people like you and Iron Heart.

        Are you really sure that you know what you’re after?

      4. Kubrick said on July 13, 2020 at 12:00 pm
        Reply

        @linuxfan
        I find it very interesting that only ONE outfit pawn2own performs these “tests”.
        If these tests were performed by at least a dozen companies and the results contained a similar average then one would be inclined to give them creedence.

        Wonder how much google “invests” in these so called tests.

      5. Yuliya said on July 13, 2020 at 11:02 am
        Reply

        linuxfan, are you sure you’ve gotten your facts straight? Firefox switched “to its “new” architecture” in November 2017. Not 2016.

  14. Paul(us) said on July 11, 2020 at 10:07 am
    Reply

    Martin,
    Again well written informative article.
    Could it be when using like now the add-on https everywhere that this add-on (Or another add-on) will give you the functionality, or maybe that Mozilla is creating a standard possibility to do so to turn off https for a specific site?

    Also, am I am wondering or like the addon https everywhere is a now supplying will there be a possibility to work together with an add who will encrypt main firefox 80 connection?
    I am asking this also because It’s not clear to me when Mozilla with Firefox 80 is creating the https function onboard the browser, is it then necessary to remove the add-on https everywhere?

  15. Jason said on July 11, 2020 at 9:46 am
    Reply

    HTTPS Everywhere fills in for the lack of HSTS while HTTPS-only Mode of Firefox doesn’t.

  16. MartinFan said on July 11, 2020 at 9:39 am
    Reply

    Accessing my router is not through https and I am unwilling to buy a certificate for my router to be able to access it through an https connection. How will that work?

    1. Stv said on July 11, 2020 at 2:27 pm
      Reply

      You can’t buy certificates for routers. It is not possible. Routers don’t have unique IPs.

      I think you have 2 reasonable choices:

      – Use sg that runs a freeradius-server and hooked into your router (RaspberryPi?) then configure the router to use the radius server (Pi). This way your whole WiFi will be secured not just the router. It costs about 50$.

      or

      – flash your router with OpenWRT for FREE if it is supported and you can access it through SSH. It is also possible to install a radius server on it for the whole network.

      Last time i checked such commercial devices cost about 1000$. Your choice.

  17. Iron Heart said on July 11, 2020 at 8:06 am
    Reply

    I’ve said it before, this setting is plain stupid. What if you need to access an HTTP website?

    What HTTPS Everywhere or similar add-ons do is upgrade to HTTPS if possible, yet they still let you access HTTP websites if required. That’s the sane choice.

    1. natlec said on July 11, 2020 at 10:53 am
      Reply

      As clearly indicated by the screenshots in the article, you will still be able to navigate to HTTP sites. It’ll just show a warning page in the event that the site doesn’t support HTTPS and you’ll have to manually click a button to confirm whether you’d like to continue navigating to the site.

      This functionality is long overdue and might be a good incentive for legacy websites to adopt HTTPS (although they might as well just be using outdated browsers if the sites are internal-use only)…now we just need Chrome to adopt the same approach so it actually has a wider impact.

      An encrypted web is better for everyone, in my opinion; although, I do understand the concern that some unmainatined HTTP-only websites may now appear innaccessible to ordinary users.

      I’d be interested in differing takes :)

      1. Iron Heart said on July 11, 2020 at 1:57 pm
        Reply

        @natlec

        So, it just adds a nasty window before one can access an HTTP website anyway? If so, disable this functionality, there is no use to it, provided you want to proceed to the HTTP website no matter what.

  18. Kincaid said on July 11, 2020 at 7:58 am
    Reply

    What a waste of resources at Mozilla. This exact functionality already exists in a free web extension. It has very few real world uses.

    Priorities at Mozilla are still out of whack. They need better leadership, especially in middle level management.

    Firefox is still the best browser for many people, but hard to really like due to the bad decisions, poor communication, and aimless direction.

    1. DropZz said on July 13, 2020 at 8:17 am
      Reply

      @Pants I appreciate your comments and trying to reason with Iron Heart but im pretty sure there is no point.
      “Mozilla = Bad and Brave = Good” seems to be programmed into him. But they seems to have extremely effective Marketing i have to give that to them.

    2. ULBoom said on July 12, 2020 at 3:08 pm
      Reply

      @Iron Heart

      Stop it!

      ALL browsers suck out of the box. FF is the only mainstream browser that can be configured for decent privacy (with a lot of work) and a pleasant interface.

      Ungoogled Chromium can come close with privacy, a little less work than FF. Hacks allow extensions to be installed. Still can’t disable webRTC in any Chromia, not since mid 2018. It can be disabled externally.

      I use Ungoogled Chromium and FF, both heavily modified and both running through a system level ad/tracking blocker which blocks RTC in any browser. The browsing “experience (I hate that word!)” for each is very different. UGC, like all Chromia I’ve used eventually gives the impression you’re being directed to where it wants to go, loads different pages, different search results and ever increasing numbers of captchas compared to FF.

      Why? IDK, I’m a user and only need to understand things to a certain level; I’m happy leaving deeper knowledge to someone like Pants who is great at explaining, with lots of appropriate references, arcane stuff to earth people.

      Cats, horses and lizards have many common characteristics.
      A lizard and horse can be reassembled into a cat. Nope, even though those three statements are true individually, randomly combining keyword characteristics of the three animals to support an assertion about one of them likely gives nonsense.

      1. Iron Heart said on July 12, 2020 at 4:44 pm
        Reply

        @ULBoom

        WebRTC can be deactivated in Chromium via extension:

        https://chrome.google.com/webstore/detail/webrtc-control/fjkmabmdepjfammlpliljpnbhleegehm?hl=de

        If it’s only about the WebRTC IP leak, then you probably know that uBlock Origin already has an option for that.

        Look, I have my reason for not using Firefox (Mozilla running experiments in the background, neglect of important security features, tracking protection that does not deserve the name and whitelists lots of stuff, built-in trackers on FF Android Nightly, privacy-hostile defaults in a browser that is falsely advertised as privacy-respecting, and many more things). If you think it’s worth using, that’s fine by me, but this opinion is just as much an opinion as mine is. I am allowed to voice it, you are allowed to voice it, too. That’s a perfectly acceptable situation that is not in need of change.

        [Editor: removed, please stay on topic]

    3. Trey said on July 11, 2020 at 1:28 pm
      Reply

      @Iron Heart

      Any good points you might make across the threads are lost after the FUD you spread like this. One browser is left that isn’t chrome and you spend your days trying to destroy it. Carry on soldier.

    4. Tom Hawack said on July 11, 2020 at 10:34 am
      Reply

      @Kincaid

      > Firefox is still the best browser for many people[…]

      It is, IMO, the best, period. Which doesn’t be it’s perfect of course. But globally it certainly is the best at this time. Forget systemic anti-Firefox comments including silly putty ones when what we all need is iron arguments and not iron emotions :=)

      1. Tom Hawack said on July 11, 2020 at 2:08 pm
        Reply

        @Iron Heart, what you seem to never have understood is that critics and flood are two different things. Between love and hatred that catheterize flood there is the objective approach all in critics, be they good or bad. When we like we say so and try to argument, same when we dislike. “Passionata” is nice in lyrics but not appropriate in technology. I mean, you’re so predictable. You call dogs with a whistle, people by their name and ‘Iron Heart’ by a positive word concerning Firefox :=)

      2. Tom Hawack said on July 11, 2020 at 2:16 pm
        Reply

        “Between love and hatred that characterize …” not “Between love and hatred that catheterize …” of course.

  19. zed said on July 11, 2020 at 7:57 am
    Reply

    I like it because unlike “https everywhere” it doesn’t use lists, and unlike “httpz” it also applies to subrequests. The downside is it doesn’t allow whitelisting; there are a few websites that just won’t work as they have https enabled but misconfigured, so Firefox doesn’t correctly detect it shoud use http instead.

    1. Tom Hawack said on July 11, 2020 at 10:23 am
      Reply

      @zed wrote : “I like it because unlike “https everywhere” it doesn’t use lists, and unlike “httpz” it also applies to subrequests”. Exactly what I have in mind. I still prefer HTTPZ by the way given that, IMO, the sub-requests it misses is outnumbered by the requests it handles compared to ‘HTTPS Everywhere” which misses quite a few due to its list approach. This is true especially when 3rd-party connections are controlled as they are with, i.e. ‘uBlock Origin’.

      The Firefox native HTTPS-only mode is going to be problematic without a whitelist, it’ll be even more on secured sites sub-requesting unsecured servers (i.e. radio portals). As I see this innovation, at this time, it seems half-baked and perhaps aims an incentive for admins to secure their sites than to actually secure the user. I know that in these conditions I’ll stick to the HTTPZ extension which really works perfectly except as mentioned for sub-requests it is not designed to handle.

      1. Anton said on July 11, 2020 at 2:07 pm
        Reply

        > ‘HTTPS Everywhere” which misses quite a few due to its list approach.

        HTTPS Everywhere has “Encrypt All Sites Eligible (EASE)” mode which upgrades all requests to HTTPS and falls back to HTTP only if HTTPS is not available.

      2. Tom Hawack said on July 11, 2020 at 4:07 pm
        Reply

        @Anton, I remember HTTPS Everywhere’s EASE mode which upgrades all requests to HTTPS, I recall it was problematic then (several months backwards) and I totally ignored it would fall back to HTTP when HTTPS unavailable. Thanks for the information, I’m bound to give it a new try (I had been using it for years before switching to HTTPZ).

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.