We are currently powering towards an encrypted Web and in recent years we've made tremendous progress on that journey. In the latest version of Firefox, a browser that's been at the forefront of the drive towards more encryption, we get a new "HTTPS-Only Mode"


Goodbye plaintext traffic

If you're a security conscious user then the new HTTPS-Only Mode in Firefox is going to be right up your street. It's simple and easy to enable and does, quite literally, exactly what it says on the tin!

We've had some broad pushes from many vendors towards more encryption on the web, with free certificates from organisations like Let's Encrypt and features like HSTS for websites to require encrypted connections, it's become easier and easier for the industry to ensure we have encryption available and used.

This new feature, however, puts the control into the hands of the user. You don't have to rely on a site to use HSTS, or be HSTS Preloaded , you as the user can now ask the browser to protect you by requiring HTTPS for everything you do.

Enabling HTTPS-Only Mode

Simply click the Menu, go to Preferences (Options), click 'Privacy and Security' and then scroll down to HTTPS-Only Mode.

This feature is, of course, disabled by default and you can choose to turn it on in private windows only, where you might demand/expect more privacy, or for all browsing. There is only one choice really!

Testing it out

I keep a site around that I've used for captive portal busting for years and it's the perfect site to use here for a demonstration; http://httpforever.com

This is the new HTTPS-Only Mode alert that provides details about what's happened and allows you decide if you want to continue on to HTTP and an insecure connection. If you do, you get the traditional security warning in the address bar that the connection is not secure.

Is this usable?

Until now, I hadn't put enough thought into that question to give an answer but I've decided I'm just going to try it out and see. Perhaps navigations and pages won't be the main issues I personally encounter but subresources could be? The truth is I don't know, but I will soon! Looking at the data provided by Mozilla for the percentage of pages loaded over HTTPS, you'd have to assume that the impact is going to be quite small.

No matter where you live in the World, the data shows that over 80% of the pages you load in Firefox are HTTPS and that number can go as high as 92%, so we're off to a great start. If you're using Firefox perhaps you can give it a try and report any issues you find? For now though, let's just sit back and realise that only a few years ago this idea would have seemed like madness, yet here we are today enabling it.