Want to ensure your browser uses only secure HTTPS connections? Check out Firefox’s new HTTPS-Only Mode
Here at Hashed Out, we like to try to keep you abreast of some of the latest changes and news within the industry—like the newsworthy update Mozilla announced yesterday on their blog. In the latest version of their Firefox browser, Firefox 83, they offer a new security feature called HTTPS-Only Mode. This tool lets you set your browser to automatically connect to all sites via HTTPS, whenever it’s available. When HTTPS is not available, you’ll get a warning.
In the U.S. alone, the Google Transparency Report shows that Chrome users loaded 95% of web pages using the HTTPS connection as of Aug. 29, 2020. This is up from the 49% who used HTTPS exactly five years earlier. This is a significant shift in the right direction.
But what is HTTPS -Only Mode and why does it matter in terms of security?
Let’s hash it out.
What Is HTTPS-Only Mode?
In a nutshell, HTTPS-Only mode is a new security feature that Firefox rolled out yesterday as part of their Nov. 17 release of Firefox 83. They’ve created an optional mode that allows users to choose to make connections via the secure HTTPS protocol only (whenever possible). According to their official release notes:
“Once HTTPS-Only Mode is turned on, you can browse the web as you always do, with confidence that Firefox will upgrade web connections to be secure whenever possible, and keep you safe by default.”
From a 30,000-foot perspective, the goal for browsers would be to eventually deprecate all HTTP connections in lieu of HTTPS ones. (We’ve already seen moves in that direction by other browsers marking non-HTTPS sites as Not Secure.) But for right now, the HTTPS-Only Mode is a feature that Firefox 83 users can choose to use if they so desire. (In the future, maybe HTTPS-Only Mode will become the default behavior for Firefox? Time will tell, but it sure looks like they’re heading in that direction!)
In a nutshell, Firefox’s new HTTPS-Only Mode ensures that users:
- Connect via secure connections whenever they’re available, and
- Receive alerts whenever a secure connection is unavailable.
This means that browsers who Firefox version 83 will see padlock icons in their web address bar instead of warnings like this:
Of course, there are plenty of other features that also rolled out in the update aside from the HTTPS-Only Mode. But it’s really the only one we’re going to talk about here since it specifically pertains to cybersecurity and, more specifically, encryption. (And, as you know, both of those topics are kind of our thing.) But you should certainly check the other new features out as well in the Firefox 83 release notes since there are also a few updates that enterprises and developers in particular might be interested in.
Why Using Only HTTPS Connections Matters
Whenever you go online, by default, your connection is delivered via the HTTP protocol. HTTP stands for hypertext transfer protocol. It’s the foundational protocol that’s used to browse the web (such as when you used your browser to connect to our website right now to read this article).
Unfortunately, by its very nature, HTTP isn’t secure; it transmits your data across the internet in plaintext format for everyone to see. So, all of the types of data that hackers love to get their hands on — your personally identifiable information (PII), credit card information, and other sensitive info — are served up like a smorgasbord of digital delights to anyone else who knows how to intercept and read them.
This is known as a man-in-the-middle attack. Not only can the see and read it, but they could potentially tamper with your data, too, and manipulate the information. This frightening thought serves to:
- Underscore the important of using HTTPS;
- Explain why the “hypertext transfer protocol secure” became integral to website security; and
- Show why SSL, now TLS, was able to make such a big grand entrance back in the 90s.
While the overwhelming majority of websites support the HTTPS protocol — more than 80% of sites have a valid SSL/TLS certificate, according to W3Techs — millions of sites still contain HTTP legacy links. This means that even if a site is using the HTTPS protocol for their site overall, some specific pages (including subdomains) they’re linking to may not be.
How HTTPS Works In General
One of my colleagues already broke down the process of how HTTPS works in another in-depth piece. I’m not going to repeat everything he covered here, but to quickly summarize, HTTPS is what makes it possible to transmit your data to a website via an encrypted connection. Basically, in the case of a website, a site admin uploads one or more website security certificates to their server to secure their pages.
Whenever a user tries to connect, a handshake takes place that involves a secure key exchange that then makes it possible to use a symmetric encrypted connection for the rest of the session. Pretty cool, huh?
So, to quickly recap:
- HTTP = data transmissions in plaintext format (i.e., readable data).
- HTTPS = secure data transmissions that displays ciphertext (i.e., unreadable data)
If you like privacy and want your information to remain as secure as possible online, then you should be a huge proponent of HTTPS. (Okay, you don’t have to wear a shirt or wave around flags in support of HTTPS, but you can at least take a moment to appreciate all that it offers our otherwise insecure digital world.) The takeaway here is that HTTPS is a great thing for web users in terms of security.
How HTTPS-Only Mode Works
The HTTPS-Only Mode makes it so that you will automatically connect to the HTTPS version of a website whenever one is available. So, even if you accidentally or intentionally try to connect to a site via HTTP, Firefox will override it and use HTTPS instead (so long as it’s available on the site). If an HTTPS connection isn’t available, the browser will warn you.
Here’s an example of how an insecure site might display in Firefox 83 (note the crossed-out padlock icon in the web address bar):
Here’s how a secure HTTPS website displays in Firefox 83:
Now, what if you manually type an HTTP URL into the web address bar (like this)?
If you have the HTTPS-Only Mode enabled in your browser, so long as there’s an HTTPS version of the site available, the browser will still force it to load the site via HTTPS.
How to Enable HTTPS-Only Mode in Firefox 83
Okay, now that you know all about what it is and how it works, let’s break down how to turn this feature on in your browser.
- In the Firefox version 83 browser, click on the menu (the three stacked horizontal lines in the top-right corner of your window) and select either Preferences or Options (it displays as Options on my screen).
- In the left-hand navigation, select Privacy & Security to open that tab.
- Scroll down the page until you see a section header labeled HTTPS-Only Mode. There, you’ll find three options. The radio button defaults to Don’t enable HTTPS-Only mode. You’ll want to change this option to Enable HTTPS-Only Mode in all windows.
That’s it! It’s really that simple.
Don’t have Firefox version 83 installed yet? No worries. You can download the newest version of Firefox from the Mozilla website.
How to Temporarily Disable HTTPS-Only Mode
Okay, cool. So, now you have HTTPS-Only Mode enabled, which ensures that the HTTPS versions of websites will always load by default whenever they’re available. But what if there are specific elements on a page that rely on HTTP and now they don’t display right? Don’t worry, Mozilla planned for that variable as well.
If you want to temporary turn off the HTTPS-Only mode to view those elements, you can do so in your web address bar. (Note: This is not a good idea in general. We typically don’t recommend doing this! However, we do understand that some websites don’t use HTTPS, so switching off HTTPS temporarily may be practical for some users.)
To disable HTTPS-Only Mode:
- Click on the padlock icon in your browser. It will bring up a window that looks like this that contains a drop-down menu toggle:
- In the new padlock window, you’ll see a drop-down menu listed for HTTPS-Only Mode. There, you can change it from On to Off temporarily.
If, for some reason, this option isn’t working, you can always go back into the main Firefox menu and turn HTTPS-Only Mode off while accessing that particular site or web page. Once finished with whatever you’re doing, then you can re-enable the security feature in your browser menu.
Enabling HTTPS-Only Mode is a great idea for individual users and businesses alike. For the former, it helps to ensure that you’re only connecting with secure websites whenever they’re available and are informed by your browser whenever they’re not. For the latter, you should also configure the browser settings on your employees’ work devices to ensure that they’re also connecting to HTTPS sites as much as possible.
The reality is that encrypted connections should be not only the minimum level of security, but it should also be the norm when it comes to online traffic. I, for one, am looking forward to a point where we can see the complete phase-out of unencrypted HTTP connections. While we haven’t quite reached that point, this move by Firefox is a step in the right direction.