How HTTPS-Only Mode makes your browsing safer

In my last blog post we explored why HTTPS is better and more secure compared to HTTP and that ~20% of traffic on the world wide web is regrettably still done over HTTP. 

This time I will tell you more about “HTTPS-Only Mode”, the project I’m working with during my outreachy internship.

What is HTTPS-Only for?

HTTPS-Only is a security feature in the Firefox web browser that tries to upgrade all requests to HTTPS from the browser side. And that makes your internet usage a lot safer, because with HTTPS-Only enabled every network connection that can be encrypted, will be encrypted. 

Let’s look at some use cases and how HTTPS-Only handles them:

Website without HTTPS certificate

Maybe it’s a very old website that was written in the late 90s and no one is updating it any more or it’s a newer side but not super well maintained. There are a lot of reasons why some websites may not have a HTTPS certificate. But since it’s getting easier and easier to get certified (in huge part thanks to projects like Let’s Encrypt), this will hopefully become a smaller and smaller part of the internet in the future. But it’s still a possibility. And in order to have an encrypted connection both sides (browser and server) need to be able to use this encryption. So unfortunately there is no way to connect over HTTPS to a server that doesn’t know how. In that case HTTPS-Only will let you know that there is no secure connection possible and give you the possibility to go there anyway, knowing the risks or not going there at all. If the side does not ask for passwords or other private information it’s probably fine to go. But it’s a decision you are now able to make consciously and more informed.

Website with HTTPS certificate 

Now we look at a website that is available both over HTTP and HTTPS. How could you end up on an insecure connection, when a secure one is available? 

If you type in a scheme-less URL (so without specifying HTTPS or HTTP but for example just browsers will default to HTTP unless they are told not to (for example by using HTTPS-Only mode). Or you browse a website and click on a link that is scheme-less or specifies HTTP as the scheme to connect. 

A well maintained server will upgrade this insecure HTTP connection right away. It sees the incoming insecure HTTP connection, sends a redirect to a secure HTTPS connection and over this new secure HTTPS connection it will send a HSTS (HTTP Strict Transport Security) Header to the browser to let the browser know that in the future it should upgrade all connections from the beginning. But there are some downsides to this: not all servers are well maintained and do this upgrading for you and even if they do, the first connection from the browser to the server will always be insecure. With HTTPS-Only that is not a problem. All requests – even the first one – will be over HTTPS and you don’t have to rely on servers doing that for you. If HTTPS is possible, it will be used every time. 

Subresources for Websites 

But HTTPS-Only does even more. It does not only upgrade all the top-level requests (so the main website you are visiting) but also all the subresources that this web site loads. 

Subresources are all the resources that the website loads from other servers like images, videos, audio files, stylesheets or scripts. If the website wants to show a video that is already uploaded to a video sharing server (for example youtube) then the website would not copy the whole video and store it itself but just load the video from the video sharing server onto its page. All these subresources could be a point of attack when not encrypted so HTTPS-Only upgrades all those connections to HTTPS as well. 

How do you get HTTPS-Only?

All of that sounds great and like something you want to try out? 

HTTPS-Only was released with Firefox 83 in November 2020 so you need an up to date Firefox browser. (In case you don’t have one yet you can get it here.)

To enable HTTPS-Only Mode click on Menu → Preferences → Privacy & Security and all the way down at the bottom you find HTTPS-Only. You can enable it for all windows, only the private windows or none.