Figured it out.

I'll leave this here for anyone you happens to google upon this.

Firefox 61 changed the HTST and now forces "new" to use HTTPS prior to even reaching out of the computer.

You can disable this by modifying "network.stricttransportsecurity.preloadlist" in about:config from true to false

This probably isn't super secure because that list also contains things like youtube and the google play store, but it buys me a time to fix my naming conventions.

So your site is just http://new and nothing else?

This seems wrong, doesn't it? While https://somedomain.new/ is forced to HTTPS at the request of the registry operator, I don't know why the "local" hostname http://new/ should be forced to HTTPS. Seems like a mistake.

Not that I think it will come up all that often, but you could consider filing a bug so you have the freedom to name one of your servers android or dev without having to get an SSL cert for it.

https://bugzilla.mozilla.org/enter_bug.cgi

Yes and no.

The site has a proper FQDN, but the old support staff (some where around 12 years ago) was a bit lazy and mapped a bunch of shortcuts and user favorites to just http://new/<app name>. Which worked until now.

I get that this is probably a rare issue, but It was super annoying to work out why all of a sudden things stopped working and only for certain users.

Also after some more research I found that chrome is going to be implementing the same changes in version 69.

Networked_Greatness said

Also after some more research I found that chrome is going to be implementing the same changes in version 69.

Firefox uses Chrome's HSTS list, so I'm surprised Chrome isn't enforcing this yet. They always let Firefox go first on the unpopular stuff. ;-)

Just in case any one wants to follow I've submitted a bug report

Bug 1475450

See where that goes