Chromium Blog: Towards HTTPS by default - eviltoast

cross-posted from: https://lemmy.world/post/3301227

Chrome will be experimenting with defaulting to https:// if the site supports it, even when an http:// link is used and will warn about downloads from insecure sources for “high-risk files” (example given is an exe). They’re also planning on enabling it by default for Incognito Mode and “sites that Chrome knows you typically access over HTTPS”.

  • Spotlight7573@lemmy.worldOP
    link
    fedilink
    English
    arrow-up
    16
    ·
    1 year ago

    It does if you just type in something like wikipedia.org . This most recent change they’re working on is so that a link on a page to:

    http://wikipedia.org will get redirected to https://wikipedia.org if the site supports it.

    This will fix a bunch of old links that are still floating around on various sites, forums, etc and keep people on https, instead of doing the https -> http -> https redirect bouncing around that can happen now.

    • jacaw@lemmy.ml
      link
      fedilink
      English
      arrow-up
      3
      arrow-down
      3
      ·
      1 year ago

      Ah, that’s a great feature. Hope this comes to Brave soon.

      • Synthead@lemmy.ml
        link
        fedilink
        English
        arrow-up
        8
        arrow-down
        1
        ·
        1 year ago

        I disagree. While in practice, this is often the same website, it is a different protocol and a different port. It just happens to use the same DNS address. You’re explicitly giving your browser a FQDN, and it is ignoring it and doing something else.

        I hope this feature can be disabled. Google has been ignoring the W3C and has shipped proprietary, insecure features in their chromium engine for a while now, so it wouldn’t surprise me if they made it permanent 🤷

        • lolcatnip@reddthat.com
          link
          fedilink
          English
          arrow-up
          8
          ·
          1 year ago

          What kind of monster would deliberately serve different content for http and https versions of the same URL?

          • Synthead@lemmy.ml
            link
            fedilink
            English
            arrow-up
            6
            ·
            1 year ago

            I agree. That would be absurd.

            However, I don’t like not having the option of using HTTP if I want to use it. It’s okay if the webserver redirects me, but I don’t like if my browser does it when I didn’t tell it to. I might want this when doing development, port tunneling, VPN stuff, etc. In most cases, it won’t matter, but when it does, it will be a pain in the ass.

            • dust_accelerator@discuss.tchncs.de
              link
              fedilink
              English
              arrow-up
              4
              ·
              1 year ago

              Imagine you want to test your redirect from 80 to 443 when setting up your webserver.

              While I think for the normal user this enhances security by defaulting to HTTPS, however this makes no sense for a browser. This should be enforced server side, the browser is for browsing, i.e. viewing. Not controlling and competing with the server software for competency.

              Chromium is really leaning into bad code practice with the disregard for “separation of concerns”.

              • Spotlight7573@lemmy.worldOP
                link
                fedilink
                English
                arrow-up
                2
                ·
                1 year ago

                If it’s enforced server-side, then there’s still an initial connection that is unsecured and can potentially be intercepted/modified before it gets to the redirect from 80 to 443.

          • Valmond@lemmy.mindoki.com
            link
            fedilink
            English
            arrow-up
            1
            arrow-down
            1
            ·
            1 year ago

            I have, and for quite some time when I was trying to set Https up.

            It’s really bad IMO to “decide what the user wants” even if this is both discussable and a very small step, it is a step towards that.