Closed Bug 1755949 Opened 4 years ago Closed 4 years ago

make https the default protocol

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Version:
19 Branch
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1704453

People

(Reporter: estellnb, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.0 Safari/605.1.15

Steps to reproduce:

If the user enters a web address manually without explicitly stating the protocol Firefox should default to https rather than http. Today most websites redirect from http to https for this reason. However this just hides the security issue. The http redirect response could be spoofed and so that the user continues to use insecure http. 99% of users won´t even notice that. If a website does really offer different content for http and https the user can still enter the desired protocol manually.
In deed it is an issue that most shared hosting providers have started to force customers into a http->https redirect even if that does not make sense for various reasons:

  • XML processing like schema validation and XML includes do still require http as the XML standard does not know https
  • Downloads should function with http rather than https. This does not only save valuable resources and improves the cachability of downloads but it also even can improve security: Downloads are normally verified with SHA-256/512 sums or GnuPG signatures so https only is an overload. More than this possible programming mistakes in the https/SSL layer can pose a security threat.
  • Sometimes https is not required and http adds a simpler alternative also supported by legacy systems. If the https certificate is currently invalid then also http can provide a reasonable alternative
    If providers of web browser defaulted to https rather than http then there was no reason to force a redirection of http to https, so that web site maintainers still can keep their choice on a file per file basis which protocols to support.

Yes, I think this change is really overdue.

The Bugbug bot thinks this bug should belong to the 'Firefox::Security' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.

Component: Untriaged → Security

I am the administrator of a website and I can confirm that this is an issue. If you have no http2https redirect 90% of all users will stay with http. However if you install a redirect then you can not make use of http any more in a reasonable way. I think there is good reason to use both http and https at the same time.

The severity field is not set for this bug.
:sgalich, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(sgalich)

I think it an anachronism. Today everyone uses https. It should really be the default.

Thanks for reporting of this issue, it's being tracked in Bug 1704453.

Meanwhile you can turn on HTTPS-only mode in about:preferences.

Status: UNCONFIRMED → RESOLVED
Closed: 4 years ago
Flags: needinfo?(sgalich)
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.