There is a security issue in Firefox (and other browsers). It has been there forever, and everone is aware of it: When the user types in a website address into the address bar, say "www.example.net", Firefox will try to load it through http. This uses an insecure connection which can be eavesdropped on, data can be manipulated, etc. Instead, Firefox should use https by default, unless the user explicitly requests http by prepending the address with http://. Should a https connection not succeed, the user could be given the option to try http instead, with a warning about the security implications. The change should be implemented+shipped by all major browser vendors at the same time so users won't move to a less secure browser. Enough time should be given to website operators to ensure their web pages are reachable through https.

I think this is unlikely, as the HTTPS version may be broken.

(In reply to YF (Yang) from comment #1) > I think this is unlikely, as the HTTPS version may be broken. Then the site operator is responsible for fixing it. And users could be presented the option to try HTTP, but only if they didn't specify the protocol in the address bar. Also, some sites are only reachable through HTTPS and HTTP won't work at all, so the argument goes both ways :-) Certainly, most HTTPS sites provide a "convenience" feature and redirect from HTTP to HTTPS. But that is insecure. In my opinion, there are no real reasons anymore to not deploy HTTPS, and most sites already do. It's finally time for browsers to change their default to "secure". Users could still choose to use "insecure" if they really want to. Thanks for the link to bug 902338. Must have missed that one. The situation there is that the user visited the site before. My proposal is for when the browser has no information about the site yet.

This will take a long time to prefer secure connections to sites instead of HTTP. Some sites will never deploy it correctly (e.g. legacy site, intranet or router), users may face performance degradation or error pages, so the security by default is aggressive for now. You can try https://addons.mozilla.org/firefox/addon/smart-https-revived/.

It doesn't have to be rolled out immediately, but it needs to be done eventually. Site operators would get a heads-up, perhaps a year or two. Addons won't fix the problem unless the addon would be installed by default. This won't happen. The goal of my bug report is to protect those users who are unaware of the security implications of not typing in https://. I assume those are most users. Those users will adapt quickly. They will acknowledge the warning and fall back http, type in http:// manually, bookmark their pages or they will complain to their IT departments and have them deploy https. There will always be some broken and legacy servers. But that shouldn't be a reason to default to insecure.

This will eventually happen, but not now. See bug 1413344 comment 5. I found it repeated.