‘A great interim solution to pave the way for a future HTTPS-only web’

Firefox introduces HTTPS-Only Mode to shield users from insecure connections

UPDATED Mozilla has added a HTTPS-Only Mode to the latest Firefox browser release in a bid to protect users from unencrypted web connections.

Launched today (November 17), Firefox 83 also enhances user security, says Mozilla, by replacing part of the browser’s JavaScript engine.

Most websites already support HTTP-over-TLS (HTTPS), which creates a secure and encrypted connection between browser and website – unlike its predecessor, HTTP, which uses plaintext, leaving users vulnerable to eavesdropping or manipulator-in-the-middle (MiTM) attacks.

According to Google, all of the world’s top 100 websites work on HTTPS, and 97% default to it.

However, many other websites still support only HTTP and the web is littered with legacy HTTP links that point to insecure versions of sites. Meanwhile, some countries and organizations block or otherwise degrade HTTPS traffic.

Let the users choose

“In light of the very high availability of HTTPS, we believe that it is time to let our users choose to always use HTTPS,” says Mozilla on its blog.

“That’s why we have created HTTPS-Only Mode, which ensures that Firefox doesn’t make any insecure connections without your permission. When you enable HTTPS-Only Mode, Firefox tries to establish a fully secure connection to the website you are visiting.”

When users click on a HTTP link or manually enter a HTTP address, Firefox will switch to HTTPS instead. For websites that don't yet support HTTPS, Firefox will display an error message explaining the security risk and asking for permission to connect to the website over HTTP.

Read more of the latest browser security news

Occasionally, websites support HTTPS but contain images or videos that don’t. In this case, says Mozilla, web pages may fail to display properly – in which case HTTPS-Only Mode can be disabled.

The feature is currently opt-in, via Firefox’s privacy and security settings, and can be enabled in all windows or only on private windows. It can then be enabled or disabled by clicking the lock icon in the address bar.

“In the future, we want the web to rely solely on HTTPS,” a Mozilla spokesperson told The Daily Swig.

“According to latest measurements, however, about 83 percent of all web traffic currently happens over HTTPS. HTTPS-Only mode closes this gap by upgrading HTTP links on the web to HTTPS and we believe that it’s a great interim solution to pave the way for a future HTTPS-only web.

“Additionally, we’re working to increase the usage of HTTPS on the server side through our support for Let’s Encrypt, a free, automated, and open certificate authority that helps people to enable HTTPS for websites.”

This article was updated on November 17 with the addition of new comments from Mozilla.

RELATED ‘Your connection is not private’ – One in three Android devices set to block Let’s Encrypt-certified websites in 2021