Slowly but steadily, HTTPS has taken over the past few years when it comes to surfing the global Web. This Secure Hypertext Transfer Protocol ( the secure version of the original HTTP ) uses SSL / TLS encryption and greatly improves security as well as privacy, preventing eavesdropping while data is in transit between clients and servers.
All browsers support HTTPS and encourage its use. Google’s decision to mark the previous HTTP pages as “not secure” was a complete step in their degree of adoption. Taking into account the dominance of Chrome in world browsing, and in general, Google’s position on the Internet, the transition from any website to HTTPS was forced both for security reasons and for search engine positioning. Today its extension is massive.
However, not all content on HTTPS pages is secure. Technically speaking, HTTPS only guarantees that the connection to the page is secured by means of encryption, but not its resources, the content included in the page or the links accessible from it.
The danger is even greater when it comes to downloaded content that doesn’t come from the same HTTPS page. Known as “mixed content downloads,” it carries the risk of HTTPS web pages creating an insecure connection to an HTTP resource, nullifying the benefits of that secure web page. Today’s web browsers typically warn users about visiting non-HTTPS web pages, but not about downloading from unsecured connections.
Therefore, starting next month, Mozilla will follow in Google’s footsteps and will make Firefox block downloads on HTTPS pages that come from insecure HTTP content. Google started making changes to Chrome last year and Mozilla will follow suit.
The feature is now available in development versions of Firefox and can also be enabled in stable releases by activating the experimental feature dom.block_download_insecure in about: config.
It will be in Firefox 92, scheduled for release on September 7, when the feature will be implemented in a general way for all users, where the browser will block and warn users when they try to download content from an HTTP page when they are on an HTTPS page. The block will not be total and users will still be able to choose to download at their own risk.