Firefox’s new feature automatically redirects from HTTP to HTTPS and should be considered a must-use for the security-minded. Jack Wallen explains, and shows you how to enable it.
We all use a web browser throughout the day. I probably spend at least seven hours a day within a web browser. Not only am I spending a large portion of my day using a browser, I’m also transmitting important (and sometimes sensitive) data. Because of that, I tend to take the security of my web browsers seriously. That’s why, when Mozilla announced it would include an HTTPS-Only mode in Firefox 83, I did a little happy dance.
For IT pros, this information is quite basic, but it can be a good way to help teach your end-users about the importance of HTTPS. For those that don’t know, HTTPS is the secure version of HTTP. For example, when you visit a website, you either start out by typing http:// or you cut that part out and directly to the URL of the site in question.
When you use HTTP, you transmitting data over the insecure protocol, such that the data is sent over the internet, in unencrypted clear text. What that means is if anyone is snooping on your network activity, with the right tools and knowledge, they can view everything you send. When you use HTTPS, that transmitted data is encrypted, so it’s much harder to view. That’s what you want, by default.
Now, here’s the trick: A website might automatically direct your insecure call to the secure protocol, so HTTP automatically directs to HTTPS. When that happens, you’re good to go.
Unfortunately, not every site makes use of HTTPS auto-redirects. Even though their site might be set up to use HTTPS, it can also function with standard HTTP. When you visit the site with http://, a poorly-coded site won’t automatically send your traffic through the secure protocol. When that happens, you don’t benefit from the added security that HTTPS offers. When you run into such a case, Firefox will warn you with an exclamation point in the address bar. Click on that exclamation point to view the warning (Figure A).
HTTPS-Only saves the day
Starting with version 83 of Firefox, you can enable a new feature that will automatically default to https://, even when you type http://. The only caveat to this happens when a site doesn’t use the secure HTTPS protocol, at which point you will receive an error (Figure B).
Even though you’ll run into this issue, I consider forcing HTTP to HTTPS a necessary option in today’s world of constant hacks and data breaches. With the new HTTPS-Only option in Firefox, it will:
Always attempt to establish a fully secure connection to every website you visit
If a site doesn’t use HTTPS, Firefox will be unable to connect to the site
It’s the second point that might be a non-starter for some users. If you happen to work with sites that do not use SSL, they won’t work with HTTPS-Only enabled–unless you only enable it for private windows. Of course, if you’re using sites that do not work with SSL, you should contact those sites and ask them why they haven’t joined the 21st century.
How to enable HTTPS-Only
With Firefox 83 or newer (I used Firefox Nightly), this feature is quite easy to enable. Here’s how:
Open Firefox and click the menu button.
In the left sidebar, click Privacy & Security.
In the resulting window, scroll down to HTTPS-Only Mode.
Click to Enable HTTPS-Only Mode In All Windows (Figure C).
You could always enable HTTPS-Only for private windows, but that would require you remembering to use private windows for the majority of your browsing–chances are pretty good you won’t want to do that.
However, in the end, you’ll have to decide if this new feature is worth having to deal with when you have must-use websites that don’t take advantage of HTTPS. If the sites you use can do both HTTP and HTTPS, you are much better off enabling HTTPS-Only on Firefox.