Karlston Posted July 11, 2020 Share Posted July 11, 2020 Firefox 80: HTTPS-only Mode in Settings Mozilla added an optional HTTPS-only mode to Firefox 76 Nightly back in March 2020. The organization's engineers have now added the mode to the settings of Firefox 80 Nightly, and it is likely that users of other Firefox channel versions, e.g. Firefox Stable, will be able to configure the mode once their version of the browser is updated to Firefox 80. HTTPS-Only Mode is designed to enforce HTTPS on sites. It works similarly to HTTPS Everywhere and other HTTPS upgrade extensions for browsers in that it attempts to upgrade HTTP connections, that are not secure, to HTTPS connections, which are. The core difference between the native HTTPS-Only Mode and extensions is that Mozilla's implementation attempts to upgrade every HTTP connection to HTTPS. HTTPS Everywhere uses a list for the upgrades that rewrite connections on sites that are opened in the browser. Firefox's HTTPS-Only Mode applies the upgrade to all HTTP connections, even if an HTTPS option is not available; this may lead to loading errors that can range from sites not loading at all to content on the site becoming unavailable. Firefox informs the user if the entire site could not be loaded because it does not support HTTPS. The same is not true for elements that may not be loaded on a site, though. Up until now, Nightly users had to set the value of the preference dom.security.https_only_mode to TRUE to enable the feature in the browser. A value of FALSE, the default, disables the HTTP to HTTPS upgrade enforcement in the browser. Starting in Firefox 80, that is no longer necessary but still available. Mozilla added options to control the browser's HTTPS-Only Mode in the options. Load about:preferences#privacy in the browser's address bar and scroll all the way down to the HTTPS-Only Mode group. The feature is set to "Don't enable HTTPS-Only Mode" by default. Switch it to Enable HTTPS-Only Mode in all windows to enable it everywhere, or Switch it to Enable HTTPS-Only Mode in private windows only, to only enable it for private browsing. A restart is not required. When you enable the option, Firefox will rewrite HTTP links to HTTPS automatically. Closing Words When Mozilla launched the HTTP upgrade mode in Firefox 76, I concluded that it could be useful in some situations, e.g. when using profiles in Firefox and using one of the profiles for secure activities such as online banking. The downside to enabling the mode is that it may break functionality on some sites, and some sites entirely. Since there is no simply "turn off mode on this page" option, it is quite cumbersome to deal with the issue when it is encountered. I find it puzzling that the option is added to the browser's preferences, considering that Mozilla's stance in the past was to limit user exposure to settings that could potentially impact the accessibility of sites. I think it would be better if Mozilla would integrate HTTPS Everywhere in the browser, maybe even with an option to enforce HTTPS everywhere. The extension is already included in the Tor Browser by default. Firefox 80: HTTPS-only Mode in Settings Link to comment Share on other sites More sharing options...
Sylence Posted July 11, 2020 Share Posted July 11, 2020 The author of this article is kind of misleading the reader. Firefox is NOT forcing it, Firefox is only adding it as an option to the settings page, that's all. it's not known whether that option is even on by default or not. even if it is on by default, there will most likely be notifications from Firefox informing users to switch that setting off when encountering a problematic old site. Link to comment Share on other sites More sharing options...
Nastrahl Posted July 11, 2020 Share Posted July 11, 2020 Blocking outbound traffic to port 80 with a firewall would do the same. About the extension, I prefer Smart HTTPS approach. Link to comment Share on other sites More sharing options...
shamu726 Posted July 12, 2020 Share Posted July 12, 2020 9 hours ago, Sylence said: The author of this article is kind of misleading the reader. Firefox is NOT forcing it, Firefox is only adding it as an option to the settings page, that's all. it's not known whether that option is even on by default or not. even if it is on by default, there will most likely be notifications from Firefox informing users to switch that setting off when encountering a problematic old site. The author doesn't say firefox is forcing the https-only enforcement. And they also has written that it's off by default. Read the complete article instead of just skimming. Link to comment Share on other sites More sharing options...
Sylence Posted July 12, 2020 Share Posted July 12, 2020 8 hours ago, shamu726 said: The author doesn't say firefox is forcing the https-only enforcement. And they also has written that it's off by default. Read the complete article instead of just skimming. Read my comment first before skimming. I never said the author is saying that option is being forced by Firefox. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.