Error message re: insecure web sites

[Ed1]

I am running FF 56.0.1. But this issue has surfaced for me with prior versions as well.

Sometimes when I enter the name of a website into the address box, without including either www. or http or https, I get a Firefox error message that the site is not secure, and the connection can be made only if I enter a security exception for that site. But if I first enter the identical site address into the Search box (set to Duck Duck Go), get the search results which include the identical website address and click on that, the web page loads immediately, with an https address shown in the address bar.

Why is this happening, and why for only some websites?

I have HTTPS Everywhere and HTTPS by Default both installed.

[Reflective]

Clear the cache. FF is trying to use an invalid version of the site by using the cache whereas a search engine will only find valid domains.

Copy/paste: about:preferences#advanced into the location bar and hit Enter and then click the Network tab. In the Cached Web Content menu in the middle, click the Clear Now button.

EDIT: Also, hit Ctrl+Shift+B to load the library and then click History in the left hand menu. In the Search History field top right type the name of the site which is causing the problem. Then right click it and click "Forget about this site". Firefox will subsequently remove all instances of the site.

[TheVisitor]

More than likely your two addons HTTPS everywhere and HTTPS - Default is causing the trouble. You can't 'force' https is the site server is not set up for that feature.

[makaiguy]

There are several factors at work here in addition to what is mentioned above (there may be more, but these are what come to mind):

• You are using extensions that cause the browser to attempt to force secure (https) connections even if https is not entered. I don't use any of these, but I assume they first attempt https and if that fails fall back to http. (??)
• Many websites are not configured to support connections secured by the https protocol and may ONLY be reached by http.
• Secured websites must have valid security certificates that are sent as part of the secure connection process. Expired certificates or ones that are otherwise invalid will prevent a secured connection, unless you are willing to create/accept an exception for this site.
• Servers can be configured to shunt all traffic to the https secured protocol, even if initially accessed by the http protocol. So it could be if this change was recently made on a particular server, an unsecured http connection that worked yesterday might fail today if the server's https is not configured correctly.
• It used to be that only sites handling important personal data (e.g. financial sites) were secured by https, or if they did have https capabilities, they might only have been only used on pages in which sensitive data was actually transmitted. But in this day of identity theft, many more mundane sites are adding https capabilities, and secure connections are now more commonly applied to whole websites, not just pages with sensitive information. In fact, search engines have begun penalizing non-secured sites with poorer placement in their search results, prompting many previously unsecured sites to try to set up https access. We just went through this on a bulletin board I administer, and it's not as easy as it sounds. In many cases, their first attempts don't get things right.
• In its last several versions, Firefox started giving a warning when attempting to log into sites not accessed via a secure connection. See this post for more information and how to prevent these notices: http://forums.mozillazine.org/viewtopic ... #p14738686

[edited to fix typos]

[Ed1]

Thanks, everyone, for the responses and detailed explanations. Very informative.

After clearing cache and removing one particular site from the library/history without any change to the FF behavior, I found that that disabling HTTPS by Default allows the site in question to load without the security error. This is so even if HTTPS Everywhere is left enabled.

I will try to learn more about the differences between these two addons, but remember reading that they could/should both be used simultaneously. I guess not for some sites.

[Brummelchen]

I have HTTPS Everywhere and HTTPS by Default both installed.

i dont see any benefit in general using such extensions. if a server is set up properly it auto-switch to ssl - if not admin is an idiot. and this can cause mixed content -> site in general is insecure.

[Ed1]

Does anyone know why forums.mozillazine.org [this site] does not allow connections using https? And logins to mozillazine are triggering the FF warning regarding insecure transmission of username and password.

I would have thought that a site devoted to Firefox would not permit login credentials to potentially be compromised.

[Brummelchen]

http://forums.mozillazine.org/viewtopic ... &t=3028083