Jump to content
Karlston

Firefox 80: HTTPS-only Mode in Settings

Recommended Posts

Karlston

Firefox 80: HTTPS-only Mode in Settings

Mozilla added an optional HTTPS-only mode to Firefox 76 Nightly back in March 2020. The organization's engineers have now added the mode to the settings of Firefox 80 Nightly, and it is likely that users of other Firefox channel versions, e.g. Firefox Stable, will be able to configure the mode once their version of the browser is updated to Firefox 80.

 

HTTPS-Only Mode is designed to enforce HTTPS on sites. It works similarly to HTTPS Everywhere and other HTTPS upgrade extensions for browsers in that it attempts to upgrade HTTP connections, that are not secure, to HTTPS connections, which are.

 

The core difference between the native HTTPS-Only Mode and extensions is that Mozilla's implementation attempts to upgrade every HTTP connection to HTTPS.

 

HTTPS Everywhere uses a list for the upgrades that rewrite connections on sites that are opened in the browser.

 

firefox 80 https only mode error

 

Firefox's HTTPS-Only Mode applies the upgrade to all HTTP connections, even if an HTTPS option is not available; this may lead to loading errors that can range from sites not loading at all to content on the site becoming unavailable.

 

Firefox informs the user if the entire site could not be loaded because it does not support HTTPS. The same is not true for elements that may not be loaded on a site, though.

 

Up until now, Nightly users had to set the value of the preference dom.security.https_only_mode to TRUE to enable the feature in the browser. A value of FALSE, the default, disables the HTTP to HTTPS upgrade enforcement in the browser.

 

firefox 80 https-only mode

 

Starting in Firefox 80, that is no longer necessary but still available. Mozilla added options to control the browser's HTTPS-Only Mode in the options.

  1. Load about:preferences#privacy in the browser's address bar and scroll all the way down to the HTTPS-Only Mode group.
  2. The feature is set to "Don't enable HTTPS-Only Mode" by default.
    • Switch it to Enable HTTPS-Only Mode in all windows to enable it everywhere, or
    • Switch it to Enable HTTPS-Only Mode in private windows only, to only enable it for private browsing.
  3. A restart is not required.

When you enable the option, Firefox will rewrite HTTP links to HTTPS automatically.

Closing Words

When Mozilla launched the HTTP upgrade mode in Firefox 76, I concluded that it could be useful in some situations, e.g. when using profiles in Firefox and using one of the profiles for secure activities such as online banking.

 

The downside to enabling the mode is that it may break functionality on some sites, and some sites entirely. Since there is no simply "turn off mode on this page" option, it is quite cumbersome to deal with the issue when it is encountered.

 

I find it puzzling that the option is added to the browser's preferences, considering that Mozilla's stance in the past was to limit user exposure to settings that could potentially impact the accessibility of sites.

 

I think it would be better if Mozilla would integrate HTTPS Everywhere in the browser, maybe even with an option to enforce HTTPS everywhere. The extension is already included in the Tor Browser by default.

 

 

Firefox 80: HTTPS-only Mode in Settings

 

ThanksForReading200x49.jpg

Share this post


Link to post
Share on other sites
Sylence

The author of this article is kind of misleading the reader. Firefox is NOT forcing it, Firefox is only adding it as an option to the settings page, that's all. it's not known whether that option is even on by default or not. even if it is on by default, there will most likely be notifications from Firefox informing users to switch that setting off when encountering a problematic old site.

 

 

Share this post


Link to post
Share on other sites
Nastrahl

Blocking outbound traffic to port 80 with a firewall would do the same.

 

About the extension, I prefer Smart HTTPS approach.

Share this post


Link to post
Share on other sites
shamu726
9 hours ago, Sylence said:

The author of this article is kind of misleading the reader. Firefox is NOT forcing it, Firefox is only adding it as an option to the settings page, that's all. it's not known whether that option is even on by default or not. even if it is on by default, there will most likely be notifications from Firefox informing users to switch that setting off when encountering a problematic old site.

 

The author doesn't say firefox is forcing the https-only enforcement. And they also has written that it's off by default. Read the complete article instead of just skimming.

 

Share this post


Link to post
Share on other sites
Sylence
8 hours ago, shamu726 said:

 

The author doesn't say firefox is forcing the https-only enforcement. And they also has written that it's off by default. Read the complete article instead of just skimming.

 

 

Read my comment first before skimming. I never said the author is saying that option is being forced by Firefox.

 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...