Jump to content

Test HTTPS-only-mode enabled in Firefox 94.x

Sampei.Nihira

By Sampei.Nihira
in Web Browsers

 Share

Recommended Posts

Sampei.Nihira

Sampei.Nihira

Posted
Posted (edited)

Beyond the obvious privacy functionality, this feature in Firefox 94.x also fulfills a security task.
Unfortunately it is not so in MS Edge (and probably also in other chrome-based browsers,I have not checked) where the feature has lower performance, and not only for the lack of an exceptions list.

For the test I will use the malware database of URLhaus:

An HTTP malware site blocked in Firefox and almost certainly, as I have verified several times, with download pop-up opening in MS Edge.
I invite you to do a verification:

screen.png

On HTTPS websites (,insert the filter for a better and faster test) the download pop-up appears and the download succeeds without any warning of potentially harmful files for the user.
In this case with MS Edge (and probably also in other chrome-based browsers) the download is blocked or the user is warned about the possible danger:

scree1.png

 

screen3.png

I recommend users who use chrome-based browsers to insert in the browser itself a rule that blocks all javascripts in HTTP websites: 

HTTP://*

 

Edited by Sampei.Nihira
Link to comment
Share on other sites

Mr.Scienceman2000

Mr.Scienceman2000

Posted
Posted (edited)

Soon there will be only HTTPS as option and companies wont allow you to access http sites to "protect you".

One thing Mozilla fails to protect me from though is from burning nerves when launch firefox with new bloat ui. That is horrible to use on small laptop. It is like mozilla showing middle finger and saying "I do not care from your opinion or if you want functional UI"

Ok now to the topic of this artcile.

36 minutes ago, Sampei.Nihira said:

For the test I will use the malware database of URLhaus:

An HTTP malware site blocked in Firefox

I did some correction and I also tested it on my lab pc that and it indeed block me from reading actually informative site that just happened to lack HTTPS. Good job keeping me on wallen garden. HTTP does not equal malware sites. Most malware sites got HTTPS these days so that tells nothing.

36 minutes ago, Sampei.Nihira said:

On HTTPS websites (,insert the filter for a better and faster test) the download pop-up appears and the download succeeds without any warning of potentially harmful files for the user.

In this case with MS Edge (and probably also in other chrome-based browsers) the download is blocked or the user is warned about the possible danger:

 

it wont on me on either cases since I wont let browser scan files I download but when scanned files using local antivirus it infected executable.

36 minutes ago, Sampei.Nihira said:

I recommend users who use chrome-based browsers to insert in the browser itself a rule that blocks all javascripts in HTTP websites: 

HTTP://*

I recommend block scripts overall by default. HTTPS does not mean js cannot do harmful things to your machine. All it takes is one link to land on infected site. Also if I modify CDN or other provider site uses I can use that to load bad script no matter if got HTTPS or not

 

If you feel like my purpose is to mean for you, it is not. I am not any casual with safety. I have done lot of pentesting and test runs of exploits and know how they work. I can grab nice amount from victim system with javascript only. Point why I keep saying false protection is because they assume everyone are equally stupid and wont give advanced user option to choose. We made web disaster it is now and try patch around without actually adminitting core mistake, browser running unauthorised program code on cpu is horrible idea. And there is need for encrypted connection for sure on sites like banking and others but not every single simple site. There is many older and embedded systems that cannot do TLS and are locked out from internet for that. I also enforce HTTPS whenever can but sometimes cannot. If HTTPS is not issue why does frogfind search engine exist that cripples it along with other bloat?

Also when I say victim I mean my own virtual machine or person who asked me to do the testing on isolated lab network, not someone unknown. I don't abuse my computer knowledge

Edited by Mr.Scienceman2000
2
Link to comment
Share on other sites
Sampei.Nihira

Sampei.Nihira

Posted
  • Author
Posted (edited)

:D

HTTP websites with malware content discovered daily on the web outnumber HTTPS websites.
In addition, HTTPS websites stay online for a shorter time.
It is the same for phishing websites:

https://phishtank.org/phish_search.php?valid=y&active=y&Search=Search

 

You don't need to work in IT Security, you just need to know how to count.

Edited by Sampei.Nihira
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...