Bulletproof TLS Newsletter #71
Firefox introduces HTTPS-only mode
26 Nov 2020
Author: Hanno Böck

This issue was distributed to 56,090 email subscribers.

Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space.

In this issue:

  1. Firefox introduces HTTPS-only mode
  2. Short news

Firefox introduces HTTPS-only mode

With the release of version 83 of Mozilla’s Firefox web browser, Mozilla announced the browser’s support of an optional HTTPS-only mode. This was previously available in Firefox Nightly versions and in advanced settings, but the latest version makes it officially available for all users.

In this mode, the Firefox browser will refuse to connect to HTTP hosts by default. If a user enters an HTTP URL or clicks a link pointing to an HTTP target, the browser will automatically try to upgrade that connection to HTTPS. When that isn’t possible, the browser will show a full-page warning and an option to continue to the HTTP site.

That such a mode is feasible is a sign of how far the HTTPS-only web has come. The warning page rarely shows up in everyday internet usage because web pages that can’t be loaded over secure connections are rare these days.

It’s noteworthy that such an HTTPS-only mode can prevent a number of possible attacks that were still possible even in a web mostly run by HTTPS. One possible threat is from legacy links. If a user clicks on an old HTTP link to a page that has switched to HTTPS by default, the first connection will still happen over HTTP, which is a possible point for an attacker to forward the user to a manipulated web page or perform an SSL stripping attack. Such attacks can be mitigated with HSTS, but even many HTTPS-only web pages aren’t using HSTS yet.

Another possible attack can come from badly configured redirects. For example, it’s not uncommon to find redirects from the main domain to the WWW subdomain that first perform a redirect to HTTP and then back to HTTPS. Ideally, such legacy links and bad redirects should all be fixed, but with HTTPS-only mode, Firefox users now have a way to prevent such attacks from happening in an imperfect web.

Short news