Solved Automatically Attempt to Make HTTPS Connections

LonM

Some sites are already set up to use HSTS, but unfortunately not all. If a webpage is accessed over HTTP, make an attempt to see if it can be accessed over HTTPS and re-route. Similar to functionality offered by "HTTPS Everywhere" and other Secure Transport Enforcer extensions.

Firefox now offers an option to outright block non-secure connections: https://blog.mozilla.org/security/2020/11/17/firefox-83-introduces-https-only-mode/

Currently available for testing with a flag: vivaldi://flags/#https-only-mode-setting

jane.n

This setting is now available in Vivaldi 5.4 from Settings > Address Bar > Security Features > Always use Secure Connection (HTTPS).
Read more about the 5.4 release on the blog.

Hadden89

I like the idea. It only has a downside.
A lot of sites has an https version which is totally borked.
Many others simply works cool with https.
Maybe an option somewhere on load which say "try https" and then "use always https here" would be better.
Enforcing https, while useful, could cause headaches to unexperienced users.

LonM

@hadden89 This would not necessarily be an "enforcing" of https, more a background check to see if https is available, and use it if so.

But absolutely, this should not be a default-on option.

Morg42

@lonm said in Automatically attempt to make HTTPS connections:

@hadden89 This would not necessarily be an "enforcing" of https, more a background check to see if https is available, and use it if so.

And how would the user be able to use the "simple" http version if it reroutes automatically? Enter the http address - and it's rerouted again. Effectively it's forced...

This needs some thought. On some web sites the contents differ for http and https.

LonM

@morg42 I guess it could be implemented as a site content permission. Much like the other there could be a global (on|off), and then individually on a per-site basis, rules could be added to override this.

a2forbes

Is this different than the HTTPS everywhere extension, or just looking to include it natively within the Vivaldi browser: https://www.eff.org/https-everywhere

LonM

@a2forbes Similar to HTTPS everywhere, yes. But maybe with a more aggressive stance (if a user chooses to enable it) that looks for https availability even if no "rule" is present, as would be in the extension.

derDay

I wanted to add a feature request and voilà, there's an existing one. I think the topic is way more relevant because nowadays https is way more common than http websites.

And every time I type an address in the addressbar, it first navigates to the http address which clutters the dropdown list with recent addresses.

e.ninger

@Mau Could you explain a little bit further? I found this flag in vivaldi mobile while looking for a workaround to the unavailable - because of missing extension support - option of https everywhere extension. But i'm unsure, how to handle it ...

TIA

e.ninger

Thank you.

The same flag exists in vivaldi mobile and since there is, differently from vivaldi desktop, no option to force https via the installation of an extension, it seems the only way to force https ...

LonM

Firefox is now doing this: https://blog.mozilla.org/security/2020/11/17/firefox-83-introduces-https-only-mode/ as an option

Hadden89

@LonM The option has sense given that now (usually) only bad coded sites are on http but...

• It should blend well with HSTS (which is the way chromium operate)
• An indicator for the enforced + basic exclusion.
• Still must be opt-in as a niche security feature.

---

[Which is very similar on what the fox says above]

debiedowner

Chrome 90, which is being released today, also does this: https://blog.chromium.org/2021/03/a-safer-default-for-navigation-https.html

I don't know if this will trickle down to Vivaldi 3.8. I know that the address bar UI is completely rewritten in Vivaldi, but I'm not sure whether the decision to make an HTTP or HTTPS request is handled by the Chromium code. If not, I hope that Vivaldi still implements this feature in 3.8 like Chrome and other Chromium browsers.

Pathduck

@debiedowner Vivaldi 3.8 Snapshot is already on Chromium 90 so you're free to test

I'm not sure exactly how to test this in practice though. You'd need to find a site with only http and see if the browser first tries a connect to port 443 before falling back to 80.

jtd871

I'm pretty sure that the Chromium 90 protocol does not apply to hyperlinks in addition to typed addresses.

I suspect that many links on websites have the "HTTP:" bit explicitly coded and the site HTML is not being updated for whatever reason. I run into links to PDF information all the time that attempt to open with HTTP rather than HTTPS.

If I copy the link address and manually change it to HTTPS, I can usually access the content just fine without getting a server error or triggering my company's security appliance.

I would very much like to be able to force all links, not just those that are typed, to be HTTPS by default. I realize this may break a very few sites, but that's a price I'm willing to pay.

fredless

having recently come to Vivaldi after experience with virtually every other major browser - this has been one of my biggest complaints thus far: with those other browsers nowadays, one can just type site.com in the address bar, hit enter, and end up on the https page even if the site does not:

1. issue a redirect to the https URL
2. support a port 80 http connections at all

saudiqbal

Any update on this? Firefox and Chrome are doing this by default now. Vivaldi needs to try https first since it is now becoming more and more common for websites to use https.

jane.n

This setting is now available in Vivaldi 5.4 from Settings > Address Bar > Security Features > Always use Secure Connection (HTTPS).
Read more about the 5.4 release on the blog.