ផលិតផលទាំងអស់ Community Forum

I would like to understand how DNS over HTTPS impacts browsing speed and privacy in Firefox.

Details: Hello everyone,

I am currently exploring Firefox privacy and network settings, especially DNS over HTTPS (DoH). I noticed that enabling this feature slightly changes website loading behavior on some networks.

I would like to ask:

Does DNS over HTTPS introduce additional latency? Are there performance differences between providers? Can corporate or public Wi-Fi networks interfere with DoH requests? Is there a recommended configuration for balancing privacy and performance?

I’m interested in both technical explanations and real-world experiences from Firefox users.

Thank you.

Hello,

I have been testing all browsers I use (Firefox, Chrome, Edge) on Cloudflare Post-Quantum Key Agreement to verify PQC support. They all support the X25519MLKEM768 hybrid scheme (i.e. Cloudflare web page returns "You are using X25519MLKEM768 which is post-quantum secure").

The issue: When I run the test in Firefox multiple times by doing repeated hard refreshes (Ctrl+Shift+R), quite often the result is "You are using X25519 which is not post-quantum secure". Sometimes the very first run after opening Firefox gives the X25519 (failing) result. "Often" varies. Sometimes it's around 10 fails out of 50 tests, other times it's 1 out of 50. It seems random.

I have read that sometimes networking equipment or even ISPs can be the cause of PQC requests falling back to non-PQC due to the long keys in PQC, but I do not see this intermittent issue with Chrome or Edge on the same computer/network/ISP as Firefox. I have not seen a single failure so far on those two browsers. The only variable I am aware of is the web browser.

I also tried connecting to a cellular hotspot as well as disabling my Norton 360 firewall and the results are the same as above.

Looking for help to resolve this issue. Thanks.

Hi, I'm using a policie file to force a family-dns. Ive written the current code down below. Unfortunately this leaves the "manage exeption"-button open, where its possible to simply bypass the block for a specific site. Is there a way to lock this button in the policie file? Thank you very much. {

 "policies": {
   "DNSOverHTTPS": {
     "Enabled": true,
     "Locked": true,
     "ProviderURL": "https://doh16.jusprogdns.com/dns-query"
   },
   "Preferences": {
     "network.trr.mode": {
       "Value": 3,
       "Status": "locked"
     }
   }
 }

}

Server Posteingang IMAP (empfohlen) imap.vodafonemail.de Ports für Posteingang IMAP SSL: 993 / TLS: 143

Server Postausgang SMTP smtp.vodafonemail.de Ports für Postausgang SSL: 465 / TLS: 25 oder 587

I have tried using s/mime encrytpion for the first time. I have created 3 different accounts using the same CA on 3 different devices. All three can communicate with each other using the s/mine encryption. I used multiple methods - sending a signed email first and then encrypted+signed, creating a .pem file with public key - importing it in Manage certificates/people and sending an encrypted+signed email. Sending an encrypted email from-to the same address also works. What I can't seem to be able to do is use any other public keys. I have a list of companies and their keys, but whether I use a file downloaded from their site or copy the key to txt and then make a .pem file out of it, as I did with my addresses, I can't send an email that is both encrypted and signed. I get "end-to-end encryption requires resolving certificate issues for ..." and the recipient status "not found". They specifically don't want to send a signature first and then encrypted+signed, and I am stuck trying to figure out what I am doing wrong. Any help is greatly appreciated.

When adding a new email account, the built-in web browser launches and displays the OAuth screen. To verify the security of the destination site, I want to click the green lock icon in the URL bar to check the details, but I can’t click it.

Does a green lock icon mean a secure connection has been established?

Using FF 140.10.1 esr on a windows pc I noticed (probably long after the fact and numerous updates) that there's no longer https:// in the address bar. Having some recent issues with security made me look for this.

When I switched to Edge, the https:// was in the adddresses I was using. There is a lock symbol, but the locks seem to change in their appearance from one browser or website to the next.

Was this verification sign removed and, if so, why?  

Thank you.

Every time I launch Thunderbird Beta 151.0b1 on Arch Linux, I immediately get a notification saying "The certificate for imap.gmail.com does not come from a trusted source." If I click through to the exception dialog, it shows "No Information Available / Unable to obtain identification status for this site" — it can't even fetch the certificate to show me what's wrong with it. The error only appears on launch and doesn't come back. Mail sends and receives fine.

From the terminal, openssl connects to imap.gmail.com:993 without any issue (Verify return code: 0, TLS 1.3, X25519MLKEM768). No antivirus, no VPN, no TLS-intercepting software. NSS 3.123.

Has anyone else seen this? Is this a known Beta issue?

Dear all,

When receiving signed AND encrypted mails from an Outlook-account I get the exclamation sign for the signature.

The message is (German) : "Digitale Signatur ist ungültig Diese Nachricht enthält eine digitale Signatur, die aber ungültig ist. Die Nachricht wurde mit einer Verschlüsselungsstärke signiert, die von dieser Version Ihrer Software nicht unterstützt wird. Signiert von...."

I already did all standard checks (trusted, new hash algorithm and so on),

Now I would like to know the EXACT reason why Thunderbird is not accepting the digital signature. How can I accomplish this?

THX in advance and best regards!

2026-04-25 SAT 14:45 BST I have boujht a DigiCert S/MIME Class 1 certificate from thesslstore, but I have not yet got it. They sent me 3 .crt files, but I have not understood how to use them. I hope someone can explain the problem and/or suggest what I can do about it please ? I do not remember having this sort of problem in previous years.

Am receiving a message reading-

The certificate for imap.gmail.com does not come from a trusted source.

Recently I set up mTLS on my admin endpoint. I tried entering it as an API on the other website, and in Firefox it wouldn't work. But if I'd try to access endpoint directly it would work, and even save my certificate choice. In Chrome, everything works just fine with both direct and API access. It is not a problem of a website, nor the problem of the OPTIONS preflight, since both of those are configured correctly on my nginx.

Dear Mozilla Team,

I kindly ask you to add support for the X25519MLKEM768 hybrid post-quantum key exchange to the domain detectportal.firefox.com (the URL used by Firefox connection testing). This small change would significantly strengthen privacy protection for millions of users who rely on Firefox's connection test URL. As you know, this mechanism has already been successfully implemented on almost all of your other domains. Extending the same protection to detectportal.firefox.com would ensure consistency and close the remaining gap. Thank you very much for your ongoing work on privacy and post-quantum cryptography. I would greatly appreciate your attention to this request. Best regards, Anonymous

Dzień dobry, podczas tworzenia wiadomości i próbie zapisania jej na później, otrzymuję komunikat:

Ostrzeżenie Błąd podczas zapisywania szkicu - W Twojej bazie kluczy nie można odnaleźć identyfikatora klucza „0xD3ADE4868E262032”.

Nie potrafię tego naprawić. System iOS na Mac.

Proszę o wsparcie.

Pozdrawiam

Why do I suddenly (from one day to another) receive the message: "Das Zertifikat für imap.gmail.com stammt nicht von einer vertrauenswürdigen Quelle."

when trying to downlowd messages from Gmail?

I have not changed anything at all.

Hello,

I am writing this message in regards to Thunderbird's GPG support after v68, in the last hope that someone suggests a solution that moves me away from version 68. I consider the current state broken.

My PGP keys reside on a Yubikey, but smartcard usage has been broken after v68, as none of the supposedly correct setups work. It should work pretty much out of the box, but it doesn't. The whole idea of moving away from Enigmail without having a properly, fully implemented support, including for smartcards, or at least for working with GPG, was utterly misguided, IMO, and broke the once nice client.

I enabled gpg usage and fetching in Settings, I imported my pubkeys to Thunderbird's PGP manager, then added my external key (with GPG). Everything looks fine. But when I click an encrypted message, I get "The secret key that is required to decrypt this message is not avaliable". Nah, it's available and it's there! The pinentry isn't appearing at all and this is the result. I believe this is TB's fault, as the pinentry correctly appears with everything else I do, also with TB 68 + Enigmail. The setup is the same. I am using the latest Gpg4win.

Settings:

mail.openpgp.allow_external_gnupg - true mail.openpgp.fetch_pubkeys_from_gnupg - true mail.openpgp.alternative_gpg_path - has no effect whether set or not

gpg-agent.conf:

enable-win32-openssh-support default-cache-ttl-ssh 900 max-cache-ttl-ssh 1800 no-allow-external-cache default-cache-ttl 300 max-cache-ttl 3000 ignore-cache-for-signing allow-loopback-pinentry

gpg.conf:

utf8-strings auto-key-locate local use-agent

FYI, adding "pinentry-program" has no effect on solving the problem, whether set or not.

Your suggestions are welcome!

Hi there.

Since quite a while Firefox is trying to enhance our browsing security by "upgrading" connections from "http" to "https." This may generally be a good idea, but it is literally driving me crazy at the moment because it also does so for "internal" sites I host within my LAN (such as my "Home Assistant" instance or a Zigbee coordinator, accessible via its own hostname and web UI). However, these connections will fail, because I don't have certificates for my internal hosts, and thus there is no "https" listener. :-(

(I use my own subdomain "<host>.city.internal.example.org" internally, so Firefox may be confused?)

I feel this behavior has become "more aggressive" within the last few days, so maybe it is due to a Firefox update?

Is there a bullet-proof way to prevent Firefox from doing so?

I've already set the below options to false: - dom.security.https_first - dom.security.https_first_for_custom_ports - dom.security.https_first_for_local_addresses - dom.security.https_first_for_unknown_suffixes - dom.security.https_first_pbm - dom.security.https_first_schemeless - dom.security.https_only_mode - dom.security.https_only_mode.upgrade_local - dom.security.https_only_mode_pbm

Help, please!

I'm close to abandoning Firefox in favor of a different browser, because at the moment it's close to being unusable for me anymore... :-(

Kind regards,

Ralf

I've disabled HTTPS only mode. When i enter a local http://server.localdomain server Firefox upgrades that to https://server.localdomain. How do I disable that?