Get best of the week

Firefox Introduces HTTPS Only



An interesting mode is implemented in the Firefox Nightly test build. Perhaps someday it will be turned on by default, but now it looks a bit unusual and needs to be manually activated from the settings.

This is the HTTPS-only mode in which you cannot download sites via an insecure channel. If you enter the address http://, the browser tries to redirect the request to https://, and in case of failure, blocks the download. All connections must be encrypted without fail.

If nothing extraordinary happens, the function will go to the final release of Firefox 76, which is scheduled for release on May 5, 2020 .

This is an optional function that is activated from the settings. It will further complicate access to the few remaining sites that still do not support TLS encryption.

According to Firefox telemetry , currently 82.4% of web pages in the world are downloaded via an encrypted connection, and in the USA - 91%.


The share of web pages that load via HTTPS in Firefox is a 14-month moving average. Source: Firefox telemetry

In 2013, Mozilla initiated the creation of the Internet Security Research Group, which launched the Lets's Encrypt service in 2015 to automatically issue free certificates for TLS encryption. Google has become a platinum sponsor of the service. Recently this centerissued a billionth certificate .


The number of active Let's Encrypt certificates. Source: Let's Encrypt

Nowadays, HTTPS is almost a must for every website. The absence of HTTPS affects the position in the search results and has a serious impact on privacy in general.

Chrome and Firefox already flagged as insecure websites without HTTPS. In terms of user perception, this was an important interface change. Studies have shown that users do not perceive the absence of a green icon with a lock as “Protected” as a warning . But the red “naked” HTTP icon is already a clear indication of the danger of the site.

Judging by current trends, it is quite possible to imagine that a new functionHTTPS-only will become standard in the future and will be enabled by default. Now it is activated using the internal Firefox settings (about: config) through the flag dom.security.https_only_mode, as shown in the first screenshot.

The feature is very similar to how the well-known HTTPS Everywhere extension from the Electronic Frontier Foundation and the Tor project works . It should be noted that a year and a half ago the Fusion project was launched to merge Tor Browser and Firefox , more precisely, to integrate Tor Browser functions directly into Firefox.

The introduction of HTTPS Everywhere in the Firefox codebase has been announced as one of the goals of the Fusion project. Here are the initial goals:

  • . , Firefox , . , . Tor Browser Firefox .
  • .
  • Tor Firefox. Tor ( ).
  • Firefox, , Tor. Tor Browser , Firefox:

    • ;
    • (circuit display);
    • HTTPS Everywhere, NoScript;
    • Tor Launcher;
    • ;
    • .

    Mozilla : , ( Tor).


    Onion — Tor Browser, Firefox

In addition to HTTPS-only mode, major browser makers were about to deactivate legacy versions of the TLS 1.0 and 1.1 encryption protocols in the spring of 2020. Mozilla initially deactivated them, but soon recovered due to the coronavirus pandemic. According to the official position, the old versions were saved for access to government sites.

Google planned to disable legacy versions of TLS in Chrome 81, simultaneously with Mozilla. But the release of this version of the browser was suspended due to a virus. Accordingly, Chrome continued to accept TLS 1.0 and 1.1 connections. This could be another reason for Mozilla’s decision.


The global market share of browsers from January 2012 to December 2019. Source: Statista

How useful is HTTPS-only? Perhaps it can be enabled on profiles that are used exclusively for online banking or other important tasks on the Internet.

Many users may find HTTPS-only destructive, as it blocks access to certain sites and resources on the Internet. There is no workaround. Sites cannot be loaded unless you turn off the corresponding function in about: config .


More articles:


All Articles