Skip to main content
Topic: Librewolf: HTTPS is Not Everywhere (Read 775 times) previous topic - next topic
0 Members and 2 Guests are viewing this topic.

Librewolf: HTTPS is Not Everywhere

[checked] Enable HTTPS-Only Mode in all windows
No https for:
www.google.com/ 142.250.75.35:http

Delete all of the librewolf folders, restart.
Open the browser and there is 1 ip that is not https:
http://104.18.20.226/

Code: [Select]
Error 1003 Ray ID: 962b6656db528ca3 • 2025-07-21 14:31:03 UTC
Direct IP access not allowed
What happened?

I checked the Manage Exceptions and the ip '104.18.20.226' was in the list of exceptions.
How is that posssible on an appimage? Is it baked in or added after?
You've requested an IP address that is part of the Cloudflare network.

How is Cloudflare bypassing https everywhere in the browser?

If this is doing this for Google, then my sign ins may be visible, passwords in the clear. Great Googly Moogly.


Edit:
I checked the Manage Exceptions and the ip '104.18.20.226' is in the exceptions list.
I'm using an appimage. How did it get in the exception list? Was it baked in or added after the fact?

Re: Librewolf: HTTPS is Not Everywhere

Reply #1
Cloudflare seems to act as a man in the middle for https and it seems to ignore the fact that my local nginx certificate chain is out of date. If I visit http://site cloudflare seems to just move it to https, but I am not an expert and someone else changed the dns to get cloudflare to handle some robot attacks.
 

Re: Librewolf: HTTPS is Not Everywhere

Reply #2
One of the http entries is for Connman, so it can determine connection status, from READY to ONLINE.

I don't like this because anyone monitoring the packets on the network can identify when I connect to the network.
To solve this, I would have to use a solution that doesn't phone home  every time I connect to the internet.

The other entries aren't making sense to me. www.google.com, Fastly, and Cloudflare.
Why are these non-secure ip's making connections when I run Librewolf?

Re: Librewolf: HTTPS is Not Everywhere

Reply #3
Quote from: tsedek1 – on
I don't like this because anyone monitoring the packets on the network can identify when I connect to the network.
To solve this, I would have to use a solution that doesn't phone home  every time I connect to the internet.
Put "OnlineCheckMode = none" in /etc/connman/main.conf