User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:42.0) Gecko/20100101 Firefox/42.0 Build ID: 20150807030210 Steps to reproduce: Go to http://click.mail.whitehouse.gov in Nightly or Aurora Actual results: Nightly converts the link to https://click.mail.whitehouse.gov This is a bad idea because they clearly aren't expecting that and the certificate provided by click.mail.whitehouse.gov doesn't list it as an alternate name, resulting in this error: click.mail.whitehouse.gov uses an invalid security certificate. The certificate is only valid for the following names: *.s6.exacttarget.com, s6.exacttarget.com (Error code: ssl_error_bad_cert_domain) I ran mozregression but I encountered some errors using it. I ran both the gui and command line tool. I was able to narrow it down to good 2015-07-30 and bad 2015-07-31, then I did the inbounds: 4:24.85 LOG: MainThread Bisector INFO Narrowed inbound regression window from [54e85cce, 57273aac] (4 revisions) to [104b0bbd, 57273aac] (2 revisions) (~1 steps left) 4:24.85 LOG: MainThread Bisector INFO Oh noes, no (more) inbound revisions :( 4:24.85 LOG: MainThread Bisector INFO Last good revision: 104b0bbd714f 4:24.85 LOG: MainThread Bisector INFO First bad revision: 57273aac7996 4:24.85 LOG: MainThread Bisector INFO Pushlog: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=104b0bbd714f&tochange=57273aac7996 The problem is I had to do this several times and I'm not convinced mozregression was working properly. I know definitely that 2015-08-07 is bad and 2015-07-20 is good. Expected results: If a link is http I'd think it should stay that way unless the host wants https. Otherwise you'll run into certificate errors like this quite often I imagine.
Firefox and other browsers support HSTS - https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security Each Firefox build contains a preloaded list of domains where https will be enforced and depending on the Firefox build date you have different sites in this preloaded list. The list is maintained by google here: https://hstspreload.appspot.com/ The whole whitehouse.gov domain is in the preloaded list and that explains why https is enforced for http://click.mail.whitehouse.gov/ See also https://www.washingtonpost.com/news/the-switch/wp/2015/02/11/your-browser-may-soon-force-you-to-connect-securely-to-some-u-s-government-web-sites/