Browser Watch: Firefox 55 Will Require HTTPS for Geolocation
Firefox 55, Due In August, Will Require HTTPS for Geolocation
A future version of Mozilla’s browser, Firefox 55, which is due out in August, will entirely disable Geolocation on HTTP pages, meaning that you now need HTTPS for Geolocation. Websites without encryption will no longer be able to ask for a user’s location.
In Firefox 55, geolocation requests over HTTP will fail silently – the user will not even know the site was trying to request that information. Developers will be happy to know that local content (localhost and file:// paths) are included in Mozilla’s definition of a Secure Context, and will still be allowed to request geolocation. Encrypted WebSocket connections (wss://) will also be allowed to make requests.
Geolocation is among a set of browser features that expose sensitive and personally identifying information about a user, which pose a greater safety and privacy risk. As a result, these features have been some of the earliest functionality to be restricted and then entirely disabled over HTTP, due to the protocol’s lack of encryption or authentication.
By the way, this is only the beginning. Browsers will then move on to other features, with the end-goal of ditching HTTP altogether.
Geolocation has already been disabled in Chrome (for nearly a year) and Safari. Firefox lagged behind the other browsers because internal data showed a high proportion of geolocation requests came from HTTP sites, and there were concerns over breaking too many pages.
Breakage is a moot point now, as most have had to deal without HTTP functionality for some time. For most sites, Firefox’s change will likely not be a problem.
If you are a developer and want to start testing this behavior now, you can do it in Firefox Nightly if you change the following flag:
- Paste about:config into the address bar and hit enter.
- If you see the “This Might Void Your Warranty” page, click the blue “I accept the risk!” button.
- In the Search box at the top, paste geo.security.allowinsecure
- Double click the setting to change it to “false.”
- Done! Now when you visit HTTP pages requesting your location, the requests will fail. You can test this behavior at http://permission.site/.
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018
in Hashing Out Cyber SecurityHow to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chrome
in Everything EncryptionRe-Hashed: How to Fix SSL Connection Errors on Android Phones
in Everything EncryptionCloud Security: 5 Serious Emerging Cloud Computing Threats to Avoid
in ssl certificatesThis is what happens when your SSL certificate expires
in Everything EncryptionRe-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Message
in Hashing Out Cyber SecurityReport it Right: AMCA got hacked – Not Quest and LabCorp
in Hashing Out Cyber SecurityRe-Hashed: How to clear HSTS settings in Chrome and Firefox
in Everything EncryptionRe-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithms
in Everything EncryptionThe Difference Between Root Certificates and Intermediate Certificates
in Everything EncryptionThe difference between Encryption, Hashing and Salting
in Everything EncryptionRe-Hashed: How To Disable Firefox Insecure Password Warnings
in Hashing Out Cyber SecurityCipher Suites: Ciphers, Algorithms and Negotiating Security Settings
in Everything EncryptionThe Ultimate Hacker Movies List for December 2020
in Hashing Out Cyber Security Monthly DigestAnatomy of a Scam: Work from home for Amazon
in Hashing Out Cyber SecurityThe Top 9 Cyber Security Threats That Will Ruin Your Day
in Hashing Out Cyber SecurityHow strong is 256-bit Encryption?
in Everything EncryptionRe-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3
in Everything EncryptionHow to View SSL Certificate Details in Chrome 56
in Industry LowdownPayPal Phishing Certificates Far More Prevalent Than Previously Thought
in Industry Lowdown