Disable HTTPS upgrade? [LWN.net]

Disable HTTPS upgrade?

Posted Mar 6, 2025 13:23 UTC (Thu) by taladar (subscriber, #68407)
In reply to: Disable HTTPS upgrade? by joib
Parent article: Firefox 136.0 released

HSTS is nice but without preloading there is still the initial request that is insecure and could be redirected somewhere entirely different.

And preloading doesn't really scale. You can't exactly have a list of every website in the world that wants to be secure just to avoid changing a default from insecure to secure.

to post comments

Disable HTTPS upgrade?

Posted Mar 6, 2025 15:32 UTC (Thu) by arita (subscriber, #176355) [Link] (2 responses)

Could they also have an https record to help alleviate that pre-loading issue?

Disable HTTPS upgrade?

Posted Mar 6, 2025 17:37 UTC (Thu) by draco (subscriber, #1792) [Link] (1 responses)

That's RFC 9460. Firefox has support but it's apparently disabled by default. Chrome supposedly has support too, but I can't find any documentation that it is actually enabled and working (or any flag to turn it on).

Browsers have long resisted adding any DNS lookups to the dependency chain for loading a page because they say people are extremely latency sensitive. It sounds like platform support for arbitrary DNS record types has been problematic too.

Hence they've ignored a number of records that have been proposed to improve security (e.g., TLSA).

I think that RFC was developed with their input to try to address their needs, so it's really sad to see it not be enabled. Though it's at least implemented, which is progress, I guess?

Disable HTTPS upgrade?

Posted Mar 7, 2025 11:13 UTC (Fri) by arita (subscriber, #176355) [Link]

I found it thanks to https://hg.mozilla.org/integration/autoland/rev/34c9c9b0de17. Seems to be enabled by default for roughly the last 4 years in firefox.

about:config
network.dns.upgrade_with_https_rr = true
network.dns.use_https_rr_as_altsvc = true