Sampei.Nihira Posted November 8, 2021 Share Posted November 8, 2021 (edited) Beyond the obvious privacy functionality, this feature in Firefox 94.x also fulfills a security task. Unfortunately it is not so in MS Edge (and probably also in other chrome-based browsers,I have not checked) where the feature has lower performance, and not only for the lack of an exceptions list. For the test I will use the malware database of URLhaus: An HTTP malware site blocked in Firefox and almost certainly, as I have verified several times, with download pop-up opening in MS Edge. I invite you to do a verification: On HTTPS websites (,insert the filter for a better and faster test) the download pop-up appears and the download succeeds without any warning of potentially harmful files for the user. In this case with MS Edge (and probably also in other chrome-based browsers) the download is blocked or the user is warned about the possible danger: I recommend users who use chrome-based browsers to insert in the browser itself a rule that blocks all javascripts in HTTP websites: HTTP://* Edited November 8, 2021 by Sampei.Nihira Link to comment Share on other sites More sharing options...
Mr.Scienceman2000 Posted November 8, 2021 Share Posted November 8, 2021 (edited) Soon there will be only HTTPS as option and companies wont allow you to access http sites to "protect you". One thing Mozilla fails to protect me from though is from burning nerves when launch firefox with new bloat ui. That is horrible to use on small laptop. It is like mozilla showing middle finger and saying "I do not care from your opinion or if you want functional UI" Ok now to the topic of this artcile. 36 minutes ago, Sampei.Nihira said: For the test I will use the malware database of URLhaus: An HTTP malware site blocked in Firefox I did some correction and I also tested it on my lab pc that and it indeed block me from reading actually informative site that just happened to lack HTTPS. Good job keeping me on wallen garden. HTTP does not equal malware sites. Most malware sites got HTTPS these days so that tells nothing. 36 minutes ago, Sampei.Nihira said: On HTTPS websites (,insert the filter for a better and faster test) the download pop-up appears and the download succeeds without any warning of potentially harmful files for the user. In this case with MS Edge (and probably also in other chrome-based browsers) the download is blocked or the user is warned about the possible danger: it wont on me on either cases since I wont let browser scan files I download but when scanned files using local antivirus it infected executable. 36 minutes ago, Sampei.Nihira said: I recommend users who use chrome-based browsers to insert in the browser itself a rule that blocks all javascripts in HTTP websites: HTTP://* I recommend block scripts overall by default. HTTPS does not mean js cannot do harmful things to your machine. All it takes is one link to land on infected site. Also if I modify CDN or other provider site uses I can use that to load bad script no matter if got HTTPS or not If you feel like my purpose is to mean for you, it is not. I am not any casual with safety. I have done lot of pentesting and test runs of exploits and know how they work. I can grab nice amount from victim system with javascript only. Point why I keep saying false protection is because they assume everyone are equally stupid and wont give advanced user option to choose. We made web disaster it is now and try patch around without actually adminitting core mistake, browser running unauthorised program code on cpu is horrible idea. And there is need for encrypted connection for sure on sites like banking and others but not every single simple site. There is many older and embedded systems that cannot do TLS and are locked out from internet for that. I also enforce HTTPS whenever can but sometimes cannot. If HTTPS is not issue why does frogfind search engine exist that cripples it along with other bloat? Also when I say victim I mean my own virtual machine or person who asked me to do the testing on isolated lab network, not someone unknown. I don't abuse my computer knowledge Edited November 8, 2021 by Mr.Scienceman2000 2 Link to comment Share on other sites More sharing options...
Dixel Posted November 8, 2021 Share Posted November 8, 2021 I support/confirm everything @Mr.Scienceman2000 wrote above. Link to comment Share on other sites More sharing options...
Sampei.Nihira Posted November 8, 2021 Author Share Posted November 8, 2021 (edited) HTTP websites with malware content discovered daily on the web outnumber HTTPS websites. In addition, HTTPS websites stay online for a shorter time. It is the same for phishing websites: https://phishtank.org/phish_search.php?valid=y&active=y&Search=Search You don't need to work in IT Security, you just need to know how to count. Edited November 8, 2021 by Sampei.Nihira Link to comment Share on other sites More sharing options...
NotHereToPlayGames Posted November 8, 2021 Share Posted November 8, 2021 I'm with @Mr.Scienceman2000. Just because .js is coming from HTTPS instead of HTTP, that doesn't mean I'm going to start "blindly" trusting it! Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now