{"id":2789,"date":"2021-08-10T00:28:51","date_gmt":"2021-08-10T07:28:51","guid":{"rendered":"https:\/\/blog.mozilla.org\/security\/?p=2789"},"modified":"2021-08-10T00:28:51","modified_gmt":"2021-08-10T07:28:51","slug":"firefox-91-introduces-https-by-default-in-private-browsing","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/security\/2021\/08\/10\/firefox-91-introduces-https-by-default-in-private-browsing\/","title":{"rendered":"Firefox 91 introduces HTTPS by Default in Private Browsing"},"content":{"rendered":"<p>&nbsp;<\/p>\n<p>We are excited to announce that, starting in Firefox 91, Private Browsing Windows will favor secure connections to the web by default. For every website you visit, Firefox will automatically establish a secure, encrypted connection over HTTPS whenever possible.<\/p>\n<h2>What is the difference between HTTP and HTTPS?<\/h2>\n<p>The Hypertext Transfer Protocol (HTTP) is a key protocol through which web browsers and websites communicate. However, data transferred by the traditional HTTP protocol is unprotected and transferred in clear text, such that attackers are able to view, steal, or even tamper with the transmitted data. The introduction of HTTP over TLS (HTTPS) fixed this privacy and security shortcoming by allowing the creation of secure, encrypted connections between your browser and the websites that support it.<\/p>\n<p>In the early days of the web, the use of HTTP was dominant. But, since the introduction of its secure successor HTTPS, and further with the <a href=\"https:\/\/letsencrypt.org\/\">availability of free, simple website certificates<\/a>, the <a href=\"https:\/\/letsencrypt.org\/stats\/#percent-pageloads\">large majority of websites now support HTTPS<\/a>. While there remain many websites that don\u2019t use HTTPS by default, a large fraction of those sites do support the optional use of HTTPS. In such cases, Firefox Private Browsing Windows now automatically opt into HTTPS for the best available security and privacy.<\/p>\n<h2>How HTTPS by Default works<\/h2>\n<p>Firefox\u2019s new HTTPS by Default policy in <a href=\"https:\/\/support.mozilla.org\/en-US\/kb\/private-browsing-use-firefox-without-history\">Private Browsing Windows<\/a> represents a major improvement in the way the browser handles insecure web page addresses. As illustrated in the Figure below, whenever you enter an insecure (HTTP) URL in Firefox\u2019s address bar, or you click on an insecure link on a web page, Firefox will now first try to establish a secure, encrypted HTTPS connection to the website. In the cases where the website does not support HTTPS, Firefox will automatically fall back and establish a connection using the legacy HTTP protocol instead:<\/p>\n<div id=\"attachment_2790\" style=\"width: 2570px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/blog.mozilla.org\/security\/files\/2021\/08\/https_first-scaled.jpg\"><img aria-describedby=\"caption-attachment-2790\" decoding=\"async\" loading=\"lazy\" class=\"wp-image-2790 size-full\" src=\"https:\/\/blog.mozilla.org\/security\/files\/2021\/08\/https_first-scaled.jpg\" alt=\"\" width=\"2560\" height=\"741\" srcset=\"https:\/\/blog.mozilla.org\/security\/files\/2021\/08\/https_first-scaled.jpg 2560w, https:\/\/blog.mozilla.org\/security\/files\/2021\/08\/https_first-300x87.jpg 300w, https:\/\/blog.mozilla.org\/security\/files\/2021\/08\/https_first-600x174.jpg 600w, https:\/\/blog.mozilla.org\/security\/files\/2021\/08\/https_first-768x222.jpg 768w, https:\/\/blog.mozilla.org\/security\/files\/2021\/08\/https_first-1536x444.jpg 1536w, https:\/\/blog.mozilla.org\/security\/files\/2021\/08\/https_first-2048x593.jpg 2048w, https:\/\/blog.mozilla.org\/security\/files\/2021\/08\/https_first-1000x289.jpg 1000w\" sizes=\"(max-width: 2560px) 100vw, 2560px\" \/><\/a><p id=\"caption-attachment-2790\" class=\"wp-caption-text\">If you enter an insecure URL in the Firefox address bar, or if you click an insecure link on a web page, Firefox Private Browsing Windows checks if the destination website supports HTTPS. If <b>YES<\/b>: Firefox upgrades the connection and establishes a secure, encrypted HTTPS connection. If <b>NO<\/b>: Firefox falls back to using an insecure HTTP connection.<\/p><\/div>\n<p>(Note that this new HTTPS by Default policy in Firefox Private Browsing Windows is not directly applied to the loading of in-page components like images, styles, or scripts in the website you are visiting; it only ensures that the page itself is loaded securely if possible. However, loading a page over HTTPS will, in the majority of cases, also cause those in-page components to load over HTTPS.)<\/p>\n<p>We expect that HTTPS by Default will expand beyond Private Windows in the coming months. Stay tuned for more updates!<\/p>\n<h2>It\u2019s Automatic!<\/h2>\n<p>As a Firefox user, you can benefit from the additionally provided security mechanism as soon as your Firefox auto-updates to version 91 and you start browsing in a Private Browsing Window. If you aren\u2019t a Firefox user yet, <a href=\"https:\/\/www.mozilla.org\/firefox\/new\/\">you can download the latest version here<\/a> to start benefiting from all the ways that Firefox works to protect you when browsing the internet.<\/p>\n<h2>Thank you<\/h2>\n<p>We are thankful for the support of our colleagues at Mozilla including Neha Kochar, Andrew Overholt, Joe Walker, Selena Deckelmann, Mikal Lewis, Gijs Kruitbosch, Andrew Halberstadt and everyone who is passionate about building the web we want: free, independent and secure!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>&nbsp; We are excited to announce that, starting in Firefox 91, Private Browsing Windows will favor secure connections to the web by default. For every website you visit, Firefox will &hellip; <a class=\"go\" href=\"https:\/\/blog.mozilla.org\/security\/2021\/08\/10\/firefox-91-introduces-https-by-default-in-private-browsing\/\">Read more<\/a><\/p>\n","protected":false},"author":960,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[69],"tags":[],"coauthors":[280776,466095,454645,318213],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Firefox 91 introduces HTTPS by Default in Private Browsing - Mozilla Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.mozilla.org\/security\/2021\/08\/10\/firefox-91-introduces-https-by-default-in-private-browsing\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Christoph Kerschbaumer, Tomer Yavor, Julian Gaibler, Arthur Edelstein\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2021\/08\/10\/firefox-91-introduces-https-by-default-in-private-browsing\/\",\"url\":\"https:\/\/blog.mozilla.org\/security\/2021\/08\/10\/firefox-91-introduces-https-by-default-in-private-browsing\/\",\"name\":\"Firefox 91 introduces HTTPS by Default in Private Browsing - Mozilla Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2021\/08\/10\/firefox-91-introduces-https-by-default-in-private-browsing\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2021\/08\/10\/firefox-91-introduces-https-by-default-in-private-browsing\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/blog.mozilla.org\/security\/files\/2021\/08\/https_first-scaled.jpg\",\"datePublished\":\"2021-08-10T07:28:51+00:00\",\"dateModified\":\"2021-08-10T07:28:51+00:00\",\"author\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/2aa58e904cdee9bfd7aef6290ccfba5b\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2021\/08\/10\/firefox-91-introduces-https-by-default-in-private-browsing\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.mozilla.org\/security\/2021\/08\/10\/firefox-91-introduces-https-by-default-in-private-browsing\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2021\/08\/10\/firefox-91-introduces-https-by-default-in-private-browsing\/#primaryimage\",\"url\":\"https:\/\/blog.mozilla.org\/security\/files\/2021\/08\/https_first-scaled.jpg\",\"contentUrl\":\"https:\/\/blog.mozilla.org\/security\/files\/2021\/08\/https_first-scaled.jpg\",\"width\":2560,\"height\":741,\"caption\":\"If you enter an insecure URL in the Firefox address bar, or if you click an insecure link on a web page, Firefox Private Browsing Windows checks if the destination website supports HTTPS. If YES: Firefox upgrades the connection and establishes a secure, encrypted HTTPS connection. If NO: Firefox falls back to using an insecure HTTP connection.\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2021\/08\/10\/firefox-91-introduces-https-by-default-in-private-browsing\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.mozilla.org\/security\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Firefox 91 introduces HTTPS by Default in Private Browsing\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\",\"url\":\"https:\/\/blog.mozilla.org\/security\/\",\"name\":\"Mozilla Security Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/2aa58e904cdee9bfd7aef6290ccfba5b\",\"name\":\"Christoph Kerschbaumer\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/c2f32f82e57d2d276655d533c069c73d\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/34c427186fcdd42f4c9c57a8bd0bcd7b?s=96&d=identicon&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/34c427186fcdd42f4c9c57a8bd0bcd7b?s=96&d=identicon&r=g\",\"caption\":\"Christoph Kerschbaumer\"},\"description\":\"Manager, Security Engineering\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Firefox 91 introduces HTTPS by Default in Private Browsing - Mozilla Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.mozilla.org\/security\/2021\/08\/10\/firefox-91-introduces-https-by-default-in-private-browsing\/","twitter_misc":{"Written by":"Christoph Kerschbaumer, Tomer Yavor, Julian Gaibler, Arthur Edelstein","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.mozilla.org\/security\/2021\/08\/10\/firefox-91-introduces-https-by-default-in-private-browsing\/","url":"https:\/\/blog.mozilla.org\/security\/2021\/08\/10\/firefox-91-introduces-https-by-default-in-private-browsing\/","name":"Firefox 91 introduces HTTPS by Default in Private Browsing - Mozilla Security Blog","isPartOf":{"@id":"https:\/\/blog.mozilla.org\/security\/#website"},"primaryImageOfPage":{"@id":"https:\/\/blog.mozilla.org\/security\/2021\/08\/10\/firefox-91-introduces-https-by-default-in-private-browsing\/#primaryimage"},"image":{"@id":"https:\/\/blog.mozilla.org\/security\/2021\/08\/10\/firefox-91-introduces-https-by-default-in-private-browsing\/#primaryimage"},"thumbnailUrl":"https:\/\/blog.mozilla.org\/security\/files\/2021\/08\/https_first-scaled.jpg","datePublished":"2021-08-10T07:28:51+00:00","dateModified":"2021-08-10T07:28:51+00:00","author":{"@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/2aa58e904cdee9bfd7aef6290ccfba5b"},"breadcrumb":{"@id":"https:\/\/blog.mozilla.org\/security\/2021\/08\/10\/firefox-91-introduces-https-by-default-in-private-browsing\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.mozilla.org\/security\/2021\/08\/10\/firefox-91-introduces-https-by-default-in-private-browsing\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/security\/2021\/08\/10\/firefox-91-introduces-https-by-default-in-private-browsing\/#primaryimage","url":"https:\/\/blog.mozilla.org\/security\/files\/2021\/08\/https_first-scaled.jpg","contentUrl":"https:\/\/blog.mozilla.org\/security\/files\/2021\/08\/https_first-scaled.jpg","width":2560,"height":741,"caption":"If you enter an insecure URL in the Firefox address bar, or if you click an insecure link on a web page, Firefox Private Browsing Windows checks if the destination website supports HTTPS. If YES: Firefox upgrades the connection and establishes a secure, encrypted HTTPS connection. If NO: Firefox falls back to using an insecure HTTP connection."},{"@type":"BreadcrumbList","@id":"https:\/\/blog.mozilla.org\/security\/2021\/08\/10\/firefox-91-introduces-https-by-default-in-private-browsing\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.mozilla.org\/security\/"},{"@type":"ListItem","position":2,"name":"Firefox 91 introduces HTTPS by Default in Private Browsing"}]},{"@type":"WebSite","@id":"https:\/\/blog.mozilla.org\/security\/#website","url":"https:\/\/blog.mozilla.org\/security\/","name":"Mozilla Security Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/2aa58e904cdee9bfd7aef6290ccfba5b","name":"Christoph Kerschbaumer","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/c2f32f82e57d2d276655d533c069c73d","url":"https:\/\/secure.gravatar.com\/avatar\/34c427186fcdd42f4c9c57a8bd0bcd7b?s=96&d=identicon&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/34c427186fcdd42f4c9c57a8bd0bcd7b?s=96&d=identicon&r=g","caption":"Christoph Kerschbaumer"},"description":"Manager, Security Engineering"}]}},"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/2789"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/users\/960"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/comments?post=2789"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/2789\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/media?parent=2789"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/categories?post=2789"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/tags?post=2789"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/coauthors?post=2789"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}