HTTPS Only mode STILL blocks HTTPS websites.
HTTPS Only mode blocks websites with URL addresses that are shown as https:// websites. Previous posts of this problem have been archived, and reading the replies and suggested resolutions shows that the problem has never really been addressed. Some https websites are being blocked regardless of where the link to them is located. The problem is NOT only with links in emails. I can not see any common traits to the https websites that are blocked by the HTTPS Only mode archive. If I click on the "continue to http website? button on the notification page when HTTPS Only mode is blocking a https:// website, it does usually continue to the https:// website, but it is very irritating as it raises evidently unwarranted suspicions about websites that could very well be completely safe https websites. I know that is the case with some of the links that are blocked, but when I am not familiar with the target website I usually do not continue to the site. I am therefore probably often unable to access information that I really need and that would be readily available but for my hesitancy to continue to a unfamiliar blocked website. An example of the spurious blocking is that when I try to access documents from the Charles Schwab website (such as https://archive.fast-edgar.com/20220208/A322F22CZW2RW2Z2222S2WYSCLVRYZ223242) the website is often blocked., while most links on the Charles Schwab website work exactly as expected. I am very confident that the https://archive.fast-edgar.com/ website is legitimate and safe, and I do not believe that there are potential problems with the link being dragged through a third party tracking website as has been claimed to be the problem with links in emails in previous posts about this problem. It would be great if someone could find the glitch in the HTTPS Only mode implementation so that it can be made usable.
Chosen solution
That is a strange example. I don't know why Firefox is failing to detect HTTPS support in the first screenshot. If you reload the page bypassing the cache (Shift+click the Reload button, or Ctrl+Shift+R), does Firefox do any better on the second try?
As an aside, I do want to mention that I have a different perspective on this part:
rayny said
The frustration that I experience with the HTTPS-Only mode really occurs when I am trying to navigate to a website that I am completely unfamiliar with, that I believe might contain information that I need, and that displays an https:// address in the address bar when it is blocked by the HTTPS-Only mode. I do not want to take a chance of visiting a dodgy website but since I know that cannot rely on the Firefox HTTPS-Only mode to identify an https site (as illustrated by the example of the accessing the FEC website), I suspect that I might be bypassing perfectly secure and helpful https:// websites.
When a site offers an HTTPS connection, you know two things:
(1) Your browser is verifying that the certificate presented by the site matches its address, so you are not connecting to an impostor server for that site
(2) Your communications with the site are encrypted for privacy so your login or other sensitive data cannot be read in transit
But HTTPS doesn't assure you that the operator of the site is trustworthy. The entire phishing scam industry uses HTTPS sites, or they wouldn't fool anyone with their fakes. So in that regard, HTTPS doesn't guarantee much, and HTTP sites can be equally trustworthy.
Read this answer in context 👍 0All Replies (5)
When I run a Google search for site:fast-edgar.com, the results use http and not https. So perhaps the HTTPS addresses are not always available. That is a problem with this feature, Firefox may try HTTPS when it's not available.
I do not understand what jscher2000 means by "That is a problem with this feature, Firefox may try HTTPS when it's not available.", but the fast-edgar link was just an example that happened to be the last very probably legitimate httpd:// website that I encountered this problem with. I didn't want to use an example of a link from a commercial website or an email because that just seems to inspire discussion of tracking sites. I encounter the problem of the HTTPS-Only mode blocking sites with https:// addresses with most of the useful-looking links that I try to follow. The HTTPS-Only mode seems like a good idea but it doesn't work, and I was hoping that it could be fixed. Other users have submitted the problem and the replies always seem to be musings about what the person pointing out the problem is doing wrong, then the thread is archived. I was hoping that I could get someone to look at the code to see if it can be made to work as expected.
rayny said
I do not understand what jscher2000 means by "That is a problem with this feature, Firefox may try HTTPS when it's not available.", but the fast-edgar link was just an example that happened to be the last very probably legitimate httpd:// website that I encountered this problem with.
What I mean is that the feature doesn't always recognize when a site does not work with HTTPS.
I have HTTPS Only mode turned off, and I cannot connect to that site using HTTPS. How did you confirm it works with HTTPS -- did you test in a different browser? When I test in Edge, it cannot connect there using HTTPS either.
The problem is that the HTTPS-Only mode blocks websites that ARE secure https websites. I very often get the blocked site notification when trying to navigate to a website with a https:// URL as shown in the address bar of the blocked site notification page. As an example, please see the attached screenshot labeled "FEC 1 . . .". You will see that the URL in the address bar begins with https://. If I then click on the button labeled "Continue to http Site" I am taken to the website. As an example, please see the attached screenshot labeled "FEC 2. . .". The URL in the address bar of the website is exactly the same as shown in the address bar of the blocked site notification page. It still begins with https://, which I believe indicates that it is a secure https website. If I am confident enough in the security of the page I am trying to navigate to, I can ignore the warning and click on the "Continue to http Site" button to bypass the site blocking, but in that case the HTTPS-Only mode serves no purpose except to slow down access to the site. The frustration that I experience with the HTTPS-Only mode really occurs when I am trying to navigate to a website that I am completely unfamiliar with, that I believe might contain information that I need, and that displays an https:// address in the address bar when it is blocked by the HTTPS-Only mode. I do not want to take a chance of visiting a dodgy website but since I know that cannot rely on the Firefox HTTPS-Only mode to identify an https site (as illustrated by the example of the accessing the FEC website), I suspect that I might be bypassing perfectly secure and helpful https:// websites. The HTTPS-Only mode seems like a really good idea, and I wish it could be fixed so that I could rely on it to warn me when I am trying to navigate to an unsecured website without blocking secure https websites.
Chosen Solution
That is a strange example. I don't know why Firefox is failing to detect HTTPS support in the first screenshot. If you reload the page bypassing the cache (Shift+click the Reload button, or Ctrl+Shift+R), does Firefox do any better on the second try?
As an aside, I do want to mention that I have a different perspective on this part:
rayny said
The frustration that I experience with the HTTPS-Only mode really occurs when I am trying to navigate to a website that I am completely unfamiliar with, that I believe might contain information that I need, and that displays an https:// address in the address bar when it is blocked by the HTTPS-Only mode. I do not want to take a chance of visiting a dodgy website but since I know that cannot rely on the Firefox HTTPS-Only mode to identify an https site (as illustrated by the example of the accessing the FEC website), I suspect that I might be bypassing perfectly secure and helpful https:// websites.
When a site offers an HTTPS connection, you know two things:
(1) Your browser is verifying that the certificate presented by the site matches its address, so you are not connecting to an impostor server for that site
(2) Your communications with the site are encrypted for privacy so your login or other sensitive data cannot be read in transit
But HTTPS doesn't assure you that the operator of the site is trustworthy. The entire phishing scam industry uses HTTPS sites, or they wouldn't fool anyone with their fakes. So in that regard, HTTPS doesn't guarantee much, and HTTP sites can be equally trustworthy.