Why does the browser default to HTTP instead of HTTPS?

derDay

@swiggi
feel free to upvote https://forum.vivaldi.net/topic/24165/automatically-attempt-to-make-https-connections

swiggi

@derday Thanks it's 'ed

I hope someone at @vivaldi will spin the wheels on this, since it's a pretty big thing what a user meets every time he or she visits a web site by typing the url in the address bar. @pafflick maybe?

Kobi

@pafflick said in Why does the browser default to HTTP instead of HTTPS?:

@swiggi said in Why does the browser default to HTTP instead of HTTPS?:

why would any serious web site be run on http?

I guess it's a question you should ask webmasters of those websites. I know it's not a frequent case these days, but if a website doesn't exchange any sensitive data with the user (a read-only kind of site), why would its webmaster care about going through all the hassle of adding/maintaining an SSL certificate?

Anyway, I believe other browsers also default to HTTP when requesting a page, so it's a broader issue...

This is false, HTTPs has been being enforced for a good while now, and is considered a security risk to go on HTTP websites.

You even get big red banner warning not to enter a website when it not under HTTPs.

Catweazle

@kobi , I also got seeveral times a red banner in Https pages and also I know a lot of pages Http complet secure, most from OpenSource which devs don't have the money to pay a certificator simply forgot it.
Currently, as I said, Https isn't a guarantee of security, that depends on other factores as a certificate that everyone can buy, also these with bad intentions.
Because of this, Google in the past speaks about to eliminate it compleatly from the URL.
Nowadays the only possibility is to check a unknown URL with Virus Total, before entering to stay save, apart with Blacklight to check Privacy issues, if you want (Microsoft homepage even use keyloggers from Tower Data and a big amount of other tracking methodes, more than most others)

Kobi

@catweazle said in Why does the browser default to HTTP instead of HTTPS?:

@kobi , I also got seeveral times a red banner in Https pages and also I know a lot of pages Http complet secure, most from OpenSource which devs don't have the money to pay a certificator simply forgot it.
Currently, as I said, Https isn't a guarantee of security, that depends on other factores as a certificate that everyone can buy, also these with bad intentions.
Because of this, Google in the past speaks about to eliminate it compleatly from the URL.
Nowadays the only possibility is to check a unknown URL with Virus Total, before entering to stay save, apart with Blacklight to check Privacy issues, if you want (Microsoft homepage even use keyloggers from Tower Data and a big amount of other tracking methodes, more than most others)

If you getting big red banners on HTTPs, you clearly need to check your certificate store and what websites you trying to enter.

Google removed HTTPs from the link, cause is enforcing HTTPs with no support for HTTP.

Catweazle

@kobi , as you say, depends of the certificate of the page, a certificate that also can buy a page with malware to show a https in tje URL.
In the past was a guarantee of security, but currently it isn't. I can put here several pages insecure Https and others with http without problems, despite it show not secure in the adressbar. f.Exmpl. te known old OpenSource Browsergame OpenLara
VT analysis

VT analysis of a Https page I tried some days ago, also seen dozends of worse ones.

If you don't know a link, don't trust the Https, most phising pages put a Https in the URL, because of this are filters in the ad and trackerblocker, not by Http or Https.

Kobi

@catweazle said in Why does the browser default to HTTP instead of HTTPS?:

@kobi , as you say, depends of the certificate of the page, a certificate that also can buy a page with malware to show a https in tje URL.
In the past was a guarantee of security, but currently it isn't. I can put here several pages insecure Https and others with http without problems, despite it show not secure in the adressbar. f.Exmpl. te known old OpenSource Browsergame OpenLara
VT analysis

VT analysis of a Https page I tried some days ago, also seen dozends of worse ones.

If you don't know a link, don't trust the Https, most phising pages put a Https in the URL, because of this are filters in the ad and trackerblocker, not by Http or Https.

You seem to misunderstand the purpose of HTTPs, is not to stop malicious websites, but to encrypt your traffic.

Catweazle

@kobi , yes, I understand, but encrypted conection is relevant in pages where you put personal information, not so in pages, like the mencioned Game, or sites like Wikipedia or similar. Pages like your Bank, apart of Https have other protections, what you can see in the Adress bar.

What I mean is that only Https isn't anymore a guarantee of security. For phising or malware is irrelevant a encrypted conection or not.
It's good to encrypt messages between your friends, family, company or mail, there is the only moment where Https is important to avoid that private information can be intercepted by others, but irrelevant between you and a page with malware. Because of this you have the aditional protection by the browser, extensions, DNS or any encryptation and security soft who put a red flag in contaminated pages Https and Http.

pafflick

@kobi said in Why does the browser default to HTTP instead of HTTPS?:

This is false

Can you point out which part you think is "false" exactly?

@kobi said in Why does the browser default to HTTP instead of HTTPS?:

is considered a security risk to go on HTTP websites.

Could you please elaborate on how exactly is going to an HTTP website considered a "security risk" if the user is not sending any data to said website?

@kobi said in Why does the browser default to HTTP instead of HTTPS?:

You even get big red banner warning not to enter a website when it not under HTTPs.

Not sure which browser shows "big red banners", but I tried opening one such website in Edge, and it just shows a warning on the URL bar but connects with the site fine otherwise.

Catweazle

Big red banner like this one in Https

Another tested downloads from a Https site (one of the worst I know)
https://www.virustotal.com/gui/file/75b209b3bb747037792b6c7a10a0a123fab23ed4ed17b937c240ddc45ff8f6ee/detection

Marylin

This post is deleted!