Security news that informs and inspires

Firefox Adds HTTPS-Only Mode

With its newest release, Firefox is adding a feature called HTTPS-Only that will automatically switch any plaintext HTTP connections to secure ones, making it simpler for users to endure that they’re connections aren’t being monitored.

The new setting is similar to one that Google Chrome has that makes HTTPS the default connection mode in the browser. Mozilla’s change comes in Firefox 83, which the company rolled out on Tuesday. Enabling the setting is just a matter of going into the Privacy and Security section in Settings and choosing the option.

Although a significant portion of websites offer HTTPS as a connection option, some sites still support HTTP connections. So if a user manually types the URL into the address bar using HTTP as the prefix, those servers will use the insecure protocol for the connection. Those connections can be monitored passively by any adversary on the network. Enforcing the use of HTTPS at the browser level helps prevent users from hitting those HTTP sites, whether accidentally or intentionally.

“Once HTTPS-Only Mode is turned on, you can browse the web as you always do, with confidence that Firefox will upgrade web connections to be secure whenever possible, and keep you safe by default. For the small number of websites that don’t yet support HTTPS, Firefox will display an error message that explains the security risk and asks you whether or not you want to connect to the website using HTTP,” Mozilla said.

“It also can happen, rarely, that a website itself is available over HTTPS but resources within the website, such as images or videos, are not available over HTTPS. Consequently, some web pages may not look right or might malfunction. In that case, you can temporarily disable HTTPS-Only Mode for that site by clicking the lock icon in the address bar.”

Virtually every legitimate site that allows users to enter sensitive information such as credit card data, bank information, or health information, employs HTTPS, and it’s ubiquitous on content sites, shopping sites, and most of the rest of the web. But there are still some corners of the web where HTTP is hanging on, and there also are old links in many places that point to HTTP versions of websites. The HTTPS-Only mode, like the one in Chrome, addresses that problem by switching to an HTTPS connection if the destination server supports it.