Chromium Blog: Towards HTTPS by default - eviltoast

cross-posted from: https://lemmy.world/post/3301227

Chrome will be experimenting with defaulting to https:// if the site supports it, even when an http:// link is used and will warn about downloads from insecure sources for “high-risk files” (example given is an exe). They’re also planning on enabling it by default for Incognito Mode and “sites that Chrome knows you typically access over HTTPS”.

  • LittleLily@shinobu.cloud
    link
    fedilink
    English
    arrow-up
    9
    ·
    1 year ago

    It does specifically say “defaulting to https:// if the site supports it”, so I think specifying http will still work if the site doesn’t actually support https.

    • dust_accelerator@discuss.tchncs.de
      link
      fedilink
      English
      arrow-up
      2
      ·
      edit-2
      1 year ago

      No testing a server side http-to-https upgrade/redirect without reconfiguring your browser. This seems like an unnecessary and bad idea.

      This could be easily done better by promoting such server-side configurations as a default.

      I mean, why should the browser attempt to correct inappropriately configured servers? Shouldn’t they rather be making PRs to NGINX/Apache/CAs or whatever?

      Also: can’t this be exploited to spoof an unavailable HTTPS and coerce an unencrypted connection?