Mozilla Firefox 76 is getting a new 'HTTPS Only' mode that automatically upgrades all HTTP requests to HTTPS when browsing the web and blocks all connections that can't be upgraded.
When connecting to an HTTP site, your connection is not encrypted and your ISP and programs running on the computer can monitor the data being sent over it. This includes your passwords, credit card info, and other sensitive information.
Due to this, it is always recommended that you only use HTTPS sites, which encrypt the connection between the browser and the web site.
While most web sites are now using HTTPS, some continue to only use the HTTP protocol and Mozilla is adding a new feature that will automatically upgrade your connection to HTTPS or block you from visiting the site.
Mozilla's 'HTTPS Only' mode
Similar to the HTTPS Everywhere addon, when Firefox's HTTPS Only feature is enabled the browser will automatically change any HTTP requests to HTTPS and if unable to connect will display an alert asking if you wish to continue connecting via HTTP.
Being developed for Firefox 76, this feature will not be enabled by default and will also attempt to upgrade subresources like CSS files, scripts, and images to HTTPS and if unable to do so, quietly block them from loading.
Currently, if a Firefox user types foo.com in the address bar then our internal machinery establishes an HTTP connection to foo.com. Within this project we will expose a preference which allows end users to opt into an 'HTTPS Only' mode which tries to establish an HTTPS connection rather than an HTTP connection for foo.com. Further, we will upgrade all subresources within the page to load using https instead of http.
Implementation considerations:
- For top-level loads which encounter a time-out we could provide some kind of error page with a button which would allow the end user to load the requested page using http.
- For subsource loads we could fail silently and just log some info to the console.
This feature is currently available in the Firefox 76 Nightly builds and can be enabled by toggling the 'dom.security.https_only_mode' setting to 'True' in about:config.
Once enabled, if you go to an HTTP site, Firefox will automatically change it to an HTTPS connection. If unable to connect via HTTPS, it will display an alert as shown below.
This alert warns that continuing to the HTTP site is a "Potential Security Risk" and recommends that you do not continue. If you choose to continue, the 'HTTPS Only' mode will be disabled for the site.
Warning: Potential Security Risk Ahead
Nightly detected a potential security threat and did not continue to neverssl.com. If you visit this site, attackers could try to steal information like your passwords, emails, or credit card details.
What can you do about it?
The issue is most likely with the website, and there is nothing you can do to resolve it. You can notify the website’s administrator about the problem.
This is an interesting feature and one that many would enable by default as it only increases the security of the websites you visit with the minor inconvenience of an alert here and there as you browse to insecure web sites.
H/T Ghacks.net
Comments
fromFirefoxToVivaldi - 4 years ago
Finally a good change from Mozilla. I wonder if this will not cause conflicts due to the broken CSP implementation. Right now something like HTTPS Everywhere in strict mode is breaking uMatrix/uBlock filtration.
DyingCrow - 4 years ago
"You can notify the website’s administrator about the problem." I don't see a reason why that's there. I can even imagine a remote possibility of this being used by scammers to have someone call a number or download a "fix", instead of the "windows support" crap scams. Just kinda giving them ideas.