Mozilla Boosts Security in Firefox With HTTPS-Only Mode

Firefox 83 has been released to the stable channel with a new feature meant to improve the security of its users, namely HTTPS-Only Mode.

The new feature is designed to prevent eavesdropping, especially when it comes to websites containing sensitive information, such as emails, financial data, or medical details.

With HTTPS-Only Mode enabled, Firefox attempts to establish a fully secure connection for each and every site the user accesses, and also asks for the user’s permission before connecting to a site that lacks support for secure connections.

Hypertext Transfer Protocol (HTTP) over TLS (HTTPS) was meant to address the security shortcomings of HTTP through encrypting the connection between the browser and the visited website.

While most websites do include support for HTTPS, and those that don’t are fewer by the day, many sites do fall back to the unsecure HTTP protocol.

On top of that, Mozilla notes, millions of legacy HTTP links pointing to insecure versions of websites still exist, meaning that, when the user clicks on them, the browser traditionally connects using the insecure HTTP protocol.

“In light of the very high availability of HTTPS, we believe that it is time to let our users choose to always use HTTPS. That’s why we have created HTTPS-Only Mode, which ensures that Firefox doesn’t make any insecure connections without your permission,” Mozilla says.

Once HTTPS-Only Mode has been enabled, Firefox will attempt to always establish a fully secure connection to the visited website, and even if the user clicks on an HTTP link or manually enters it, the browser will still use HTTPS instead.

The new feature can be enabled from the “Preferences” menu, in the “Privacy & Security” section. There, after scrolling down to “HTTPS-Only Mode,” users need to select the “Enable HTTPS-Only Mode in all windows” option.

“Once HTTPS-Only Mode is turned on, you can browse the web as you always do, with confidence that Firefox will upgrade web connections to be secure whenever possible, and keep you safe by default,” Mozilla notes.

When encountering a website that doesn’t include support for HTTPS, Firefox will deliver an error message, providing the user with the option to connect using HTTP.

For websites that do support HTTPS but serve resources such as images or videos over insecure connections, some pages might malfunction, and users will be provided with the option to temporarily disable HTTPS-Only Mode for that site.

Mozilla expects for HTTP connections to be deprecated once HTTPS is more widely supported and even required for all websites. HTTPS-Only Mode, the browser maker says, is the future of the Internet.

Related: Firefox Gets DNS-over-HTTPS as Default in U.S.

Related: Mozilla to Remove Support for FTP in Firefox

Related: Identifying DNS-Over-HTTPS Traffic Without Decryption Possible: Researcher