|
|
Log in / Subscribe / Register

Disable HTTPS upgrade?

Disable HTTPS upgrade?

Posted Mar 5, 2025 7:17 UTC (Wed) by joib (subscriber, #8541)
In reply to: Disable HTTPS upgrade? by ballombe
Parent article: Firefox 136.0 released

For the HTTP header approach there's https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security which I believe Firefox has supported already for a long time.

I believe the new thing with Firefox 136 is that now it automatically first tries to connect via https if you just type an address without a specific "http://" string in front? I could be wrong though, I haven't looked into it in detail.

to post comments

Disable HTTPS upgrade?

Posted Mar 6, 2025 13:23 UTC (Thu) by taladar (subscriber, #68407) [Link] (3 responses)

HSTS is nice but without preloading there is still the initial request that is insecure and could be redirected somewhere entirely different.

And preloading doesn't really scale. You can't exactly have a list of every website in the world that wants to be secure just to avoid changing a default from insecure to secure.

Disable HTTPS upgrade?

Posted Mar 6, 2025 15:32 UTC (Thu) by arita (subscriber, #176355) [Link] (2 responses)

Could they also have an https record to help alleviate that pre-loading issue?

Disable HTTPS upgrade?

Posted Mar 6, 2025 17:37 UTC (Thu) by draco (subscriber, #1792) [Link] (1 responses)

That's RFC 9460. Firefox has support but it's apparently disabled by default. Chrome supposedly has support too, but I can't find any documentation that it is actually enabled and working (or any flag to turn it on).

Browsers have long resisted adding any DNS lookups to the dependency chain for loading a page because they say people are extremely latency sensitive. It sounds like platform support for arbitrary DNS record types has been problematic too.

Hence they've ignored a number of records that have been proposed to improve security (e.g., TLSA).

I think that RFC was developed with their input to try to address their needs, so it's really sad to see it not be enabled. Though it's at least implemented, which is progress, I guess?

Disable HTTPS upgrade?

Posted Mar 7, 2025 11:13 UTC (Fri) by arita (subscriber, #176355) [Link]

I found it thanks to https://hg.mozilla.org/integration/autoland/rev/34c9c9b0de17. Seems to be enabled by default for roughly the last 4 years in firefox.

about:config
network.dns.upgrade_with_https_rr = true
network.dns.use_https_rr_as_altsvc = true


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds