Firefox 76 gets optional HTTPS-only mode

[silversurfer]

Mozilla plans to introduce an optional HTTPS-only mode in Firefox 76 which only allows connections to HTTPS sites.

Most Internet sites use HTTPS already to improve the security of connections. HTTPS encrypts the connection which protects against manipulation and also blocks the logging of activity.

Firefox users may soon enable an option in the web browser to allow only HTTPS connections; this sounds very similar to how HTTPS Everywhere operates. The browser extension tries to upgrade unencrypted resources to encrypted ones when enabled, and it comes with an option to block any traffic that is not encrypted.

When enabled, Firefox loads HTTPS sites and resources just like before. When HTTP sites or resources are detected, the browser attempts to upgrade these to HTTPS. The site or resource is loaded if the upgraded worked; if not, it is blocked which may result in sites becoming inaccessible or partially loaded.

Firefox users who run Firefox 76 or newer can activate the new HTTPS-Only mode in the browser in the following way:

1. Load about:config in the browser's address bar.
2. Confirm that you will be careful.
3. Search for dom.security.https_only_mode using the search field at the top.
   1. Set the preference to TRUE to enable HTTPS-only connections in Firefox.
   2. Set the preference to FALSE to allow all connections (default).

A "Secure Connection Failed" error is displayed by Firefox is a site cannot be upgraded to HTTPS after setting the preference to TRUE in the Firefox preferences.

The new HTTPS-Only mode works like HTTPS Everywhere's strict mode as it blocks all insecure connections automatically. Firefox's built-in feature does not support a fallback mode (which HTTPS Everywhere supports).

Is this useful?
How useful is a HTTPS-only mode on today's Internet? I see some limited applications for it when combined with browser profiles. A user could enable the feature for a profile that is used exclusively for online banking or other sensitive tasks on the Internet that benefit from increased security.

While most sites do support HTTPS already, Mozilla's own stats show that about 82% of all Firefox connections use HTTPS, it is quite common that HTTP-only sites or resources are accessed on the Internet.

Most Internet users therefor may find the HTTPS-only mode disruptive as it blocks access to certain sites or resources on the Internet.

Firefox 76 gets optional HTTPS-only mode - gHacks Tech News

Mozilla plans to introduce an optional HTTPS-only mode in Firefox 76 which only allows connections to HTTPS sites.

www.ghacks.net

 

[Handsome Recluse]

They're really working with the Tor team now.

 

[Stas]

Why not create option for fallback mode and let users decide what mode to use. Then add-ons like Smart HTTPS & HTTPS Everywhere become redundant.

 

[TairikuOkami]

Technically it works pretty well, I had to allow only 2 outdated webpages for http and I occasionally have to allow http for some downloads, but:
Sometimes webpages fail to load, then they reload in https or they fail to load completely, so I have to hit refresh. That is just a bit annoying.
The biggest problem are card payments. Just yesterday a payment failed, because I could not reload Mastercard's verification window.

 

[South Park]

This extension has never failed me, and it allows whitelisting: HTTPZ – Get this Extension for Firefox (en-US)

 

[HarborFront]

I'm using Smart HTTPS

Smart HTTPS – Get this Extension for 🦊 Firefox (en-US)

Download Smart HTTPS for Firefox. This extension automatically changes HTTP web addresses to the secure HTTPS, whenever possible.

addons.mozilla.org

 

[Stopspying]

Converting websites from HTTP to HTTPS over the last decade must count as one of the most successful quiet security upgrades ever to affect web browsing.


Using an HTTPS site means that your browser and the site establish an encrypted connection which can’t be snooped on by ISPs, rogue Wi-Fi access points, or anyone else trying to monitor the content of that traffic with bad intent.


It’s not universal yet, but with search engines such as Google downgrading sites that stick with HTTP, and popular browsers marking them as ‘not secure’, unencrypted web connections are surely heading for extinction.

Continued at Firefox 76 will have option to enforce HTTPS-only connections

 

[Stopspying]

Technically it works pretty well, I had to allow only 2 outdated webpages for http and I occasionally have to allow http for some downloads, but:
Sometimes webpages fail to load, then they reload in https or they fail to load completely, so I have to hit refresh. That is just a bit annoying.
The biggest problem are card payments. Just yesterday a payment failed, because I could not reload Mastercard's verification window.

I occasionally have this issue when using a banks Visa payment system. But I'd rather a payment fails, as I can re-do it after checking on my account, than it be left 'hanging' so I'm uncertain if it has gone through correctly or not.

 

[HarborFront]

Converting websites from HTTP to HTTPS over the last decade must count as one of the most successful quiet security upgrades ever to affect web browsing.


Using an HTTPS site means that your browser and the site establish an encrypted connection which can’t be snooped on by ISPs, rogue Wi-Fi access points, or anyone else trying to monitor the content of that traffic with bad intent.


It’s not universal yet, but with search engines such as Google downgrading sites that stick with HTTP, and popular browsers marking them as ‘not secure’, unencrypted web connections are surely heading for extinction.

Continued at Firefox 76 will have option to enforce HTTPS-only connections

A HTTPS site does NOT mean is a safe site. It's just means that your browser and the site establish an encrypted connection like what you said.

It's still best for user to enable encrypted (HTTPS) scanning of the HTTPS traffic against malware either in your AV/AM or browser (if available), Adguard etc

FYI, Brave browser has 'Upgrade connection to HTTPS' feature built-in

 

[Stopspying]

A HTTPS site does NOT mean is a safe site. It's just means that your browser and the site establish an encrypted connection like what you said.

It's still best for user to enable encrypted (HTTPS) scanning of the HTTPS traffic against malware either in your AV/AM or browser (if available), Adguard etc

FYI, Brave browser has 'Upgrade connection to HTTPS' feature built-in

Its well worth highlighting this being the case, the Naked Security article refers to Brian Krebs' discovery -

"There are still misconceptions around this point, including in official advice where you’d least expect it. For example, security blogger Brian Krebs recently discovered the following message buried on the website of the US Census Bureau:

The HTTPS:// ensures that you are connecting to the official website and that any information you provide is encrypted and secure."

 

[silversurfer]

Firefox 80: HTTPS-only Mode in Settings - gHacks Tech News

Mozilla added a new preference to Firefox 80 Nightly that provides users of the browser with options to enable the HTTPS-Only mode in the browser.

www.ghacks.net

 

[South Park]

Firefox 80: HTTPS-only Mode in Settings - gHacks Tech News

Mozilla added a new preference to Firefox 80 Nightly that provides users of the browser with options to enable the HTTPS-Only mode in the browser.

www.ghacks.net

Interesting, but I still prefer an add-on which allows fallback for sites that don't have https.

Ghacks:

The downside to enabling the mode is that it may break functionality on some sites, and some sites entirely. Since there is no simply "turn off mode on this page" option, it is quite cumbersome to deal with the issue when it is encountered.