V 6.7 | Forces HTTPS
-
@yngve The fact remains that there's probably hundred thousands of small misconfigured sites like this one out there - where it's listening on 443, has a valid certificate but simply does not work properly because the admins have made some mistake in the setup.
But users have their bookmarks pointing to HTTP, and they need to check their local weather. They have absolutely zero interest that HTTP is "insecure", that their ISP and every intermediate router can see their data or there's a risk for a MITM attack (not that they know what that is anyway).
They never look at the address bar and wouldn't even know what the padlock signifies. They just want to check their weather report.
And they install Vivaldi, they try their usual sites and it breaks.
Then they try in Chrome or in their system default browser (Edge in most cases), it works fine there and they just conclude that Vivaldi is broken and loses a user. -
@Pathduck said in V 6.7 | Forces HTTPS:
They just want to check their weather report
-
The Settings → Address Bar → Security Features → Always Use Secure Connection (HTTPS) is completely nonsense for me as, it does not deactivate the Forced HTTPS
When Vivaldi does uses forced HTTPS, i fear that users will use an other browser as Ungoogled Chromium, Edge, Firefox or Brave or leave Vivaldi as their browser.
-
@Pathduck said in V 6.7 | Forces HTTPS:
@yngve The fact remains that there's probably hundred thousands of small misconfigured sites like this one out there - where it's listening on 443, has a valid certificate but simply does not work properly because the admins have made some mistake in the setup.
There's an old IETF saying, which used to be a philosophical foundation of internet communications:
"Be strict in what you send, permissive in what you will receive"
The "least damage" attitude to global communications.
Nowadays we have the web browser "ecosystem" nannying us to the "lowest common denominator" of user which would literally punch themselves in the face all day long with their ignorance of the online world, and the internet clients thus dumb the whole process down as if everyone is one of those people. "For their own safety".
Over the last few years I lost count of how many online services "for my safety" forced all sorts of new draconian but effectively pointless or worse than pointless "security theater" measures on my longstanding old accounts that had never had a breach or security issue in decades of ownership. In some cases these measures literally resulted in those accounts getting deleted or wiped because I didn't discover until after the short transition period that if I didn't flip some button or tick some box they would just assume I was dead and delete all my stuff I had collected there over the years over it.
Just lovely.
-
@yngve Yes, Vivaldi uses Foreced HTTPS.
But please explain why that happens with FQDNs which have a domain but not with hostnames?
In my LAN the URLmywebserver
orhttp://mywebserver
is not redirected tohttps://mywebserver
But the last has SSL, but not HSTS!
Behaviour of Vivaldi is not really consistent for me. -
@DoctorG said in V 6.7 | Forces HTTPS:
Always Use Secure Connection
IIRC, and as I have mentioned before, that one takes second place to the HTTPS First now.
-
@DoctorG said in V 6.7 | Forces HTTPS:
In my LAN the URL mywebserver or http://mywebserver is not redirected
At present it seems that Chromium is excluding non-unique hostname (no domain, or not a registry controlled TLD) from HTTPS First. This seems conditioned on feature HttpsFirstModeV2ForTypicallySecureUsers, which is currently disabled by default.
-
@yngve Ah, a internal exlucsion of unknown TLD and hostnames, that explains why that works in Vivaldi.
Thanks for background information -
@Pathduck Something like that, yes. In this case the webpage is mine, although I did not construct it. Some kind soul, another weather enthusiast, programmed everything and even made it user friendly so I and many others could set it up with the many blocks available.
I am simply lacking the necessary knowledge to make the site work as it should - securely. Obviously, there is something wrong, an error somewhere but so far I was unable to find it.
Anyway, thanks for trying to help, I'll keep on digging and hopefully learn a thing or two in the process.
-
Just tested the weather station page yesterday on Linux and Windows (tested with fresh install/profile).
The results:️Never ending load with:
- Vivaldi 6.7.3329.19
- Vivaldi 6.7.3329.21
Loads and does not force Https:
- Chrome 124.0.6367.91
- Chrome Beta 125.0.6422.14
- Chrome Unstable 126.0.6439.0
- Chromium 124.0.6367.78/79
- Edge 124.0.2478.67
- Firefox 125.0.2 (64-Bit)
-
Now the site fails to load completely with Chromium 124.0.6367.119, too.
Oh, works again 124.0.6367.119 Win 11. -
@yngve said in V 6.7 | Forces HTTPS:
@BunxBun Of course, some server admins want to be difficult, and thus make difficulties for themselves (and their users).
My point is that in normal 80&443 deployments everything on port 80 should be mirrored by port 443; in fact, in most cases the only thing on 80 is a configuration to redirect everybody to 443.
That isn't "some server admins" being difficult.
The ones being difficult are those expecting all websites to encrypt their traffic. There is absolutely zero reason for this and puts undue stress on low power devices and internet connections.
Serving http content over port 80 is perfectly valid.
-
@jure Weatherstation still broken in Vivaldi 6.8 and Chromium 126.
-
@BunxBun said in V 6.7 | Forces HTTPS:
Serving http content over port 80 is perfectly valid.
Yes, as a serveradmin i agree to this.
That isn't "some server admins" being difficult.
Yes.
The Forced HTTPS mode of Chromium core is a bad "security" feature in some cases.
-
@DoctorG Yes, I know and I am at my wits end. I have a couple of redirects and I switched off forced HTTPS on my provider's site. For anything else I do not have enough knowledge. All browsers that force HTTPS: will see spinning balls in random blocks, unfortunately.
-
I understand forcing some solutions for greater good but leaving it without option for more advanced users is IMHO really a miss, to say the least.
I have a hosting service that works only on http until the main domain with certificate is not connected. But for webdev this is the last thing to do. This is really pain in the ass to build a website in your non-main webbrowser.
EVERY webbrowser doesn't have any problem with this but Vivaldi.
If Vivaldi forces you anyway to https, no matter what flag and settings you change - why option of "always use secure connection (https)" even exists? -
@kryllyn A nasty bug, only Vivaldi forcing https.
All others like Firefox, Edge, Chromium, Chrome do not force SSL -
I am waiting for a fix.
Using Chromium or Chrome or Firefox instead of Vivaldi is not the way i like to work. -
@DoctorG I understand bugs but as I read it correctly - this is more like by design...?
Let no one get me wrong, I love Vivaldi but that's the reason I'd like to have a choice. By most, Vivaldi was made for ppl that love customizing - to tailor their webbrowser to their needs. So why something so crucial was understated?
And I don't mean taunting any developer here. I love what you do and I really want to stick with this webbrowser as long as possible. But as an average webdeveloper, I meet various of servers and I don't have any control over their configuration. I'm paying for those servers and I'm still forced to use a webbrowser of not my choice.
-
@kryllyn said in V 6.7 | Forces HTTPS:
this is more like by design...?
No. Not letting users to have choice is not design, it is broken usability in Vivaldi.