Why does the browser default to HTTP instead of HTTPS?

swiggi

Hello,

I've been annoyed by this thing with typing a domain and waiting for the browser to complete the address with protocol, maybe a subdomain, etc.

When I type 'un.org' and press enter, the address changes to http://un.org
Additional seconds later, the address changes to https://www.un.org.

I expect someone chose this design, and I wonder if they could share the answer to, why not https:// from the beginning in stead of http?

Regards,
Martin

//MODEDIT: edited title for clarity

Pesala

@swiggi If the domain is http:// and not https:// then the latter will produce an error.

If the domain is a secure https:// address, it will redirect from http to https without any error.

Test with aimwell.org, https://aimwell.org, and bbc.co.uk

swiggi

@pesala Thank you for getting back to me.
I understand the consequence of defaulting https. But this is 2022, why would any serious web site be run on http? Also, most/all browsers can fall back to search, it's a design choice. So I'm curious to the arguments behind staying in the past

pafflick

@swiggi said in Why does the browser default to HTTP instead of HTTPS?:

why would any serious web site be run on http?

I guess it's a question you should ask webmasters of those websites. I know it's not a frequent case these days, but if a website doesn't exchange any sensitive data with the user (a read-only kind of site), why would its webmaster care about going through all the hassle of adding/maintaining an SSL certificate?

Anyway, I believe other browsers also default to HTTP when requesting a page, so it's a broader issue...

DoctorG

@swiggi Feel free to force Vivaldi always to https (on your own risk, could break some connection to websites):
Open chrome://settings/security
Enable "Always use secure connections"
Close Settings page

Catweazle

I think that currently is quite irrelevant for security that a page is http or https, it depends only on a certificate that costs a few dollars. The risk of catching malware on these pages is practically the same.

swiggi

@doctorg yeah .. no. That doesn't work, still http first then https
FTR, I've always had "Always use secure connections" activated, works fine - but it does not make Vivaldi start with https before http!

swiggi

@pafflick Thank you for your reply. It doesn't answer my question, though.

When you can make the browser fall back to search, and http is not a frequent case, why not start with https? Also, the already implemented "Always use secure connections" leaves the user with a not too usable screen of choices and warnings, not that it should be the model of how Vivaldi incorporates thing in the future

Besides from that, it really isn't a hassle to add and maintain an SSL certificate. And there are free/unpaid options.
Not everyone is indifferent about the traffic, they generate, and there are other considerations than security. Privacy, for example.

PS: Speaking of translating what's typed in the address bar, when plotting the IP4 or IP6 address of a web domain, it should give the same result as plotting the domain name.tld, shouldn't it?

derDay

@swiggi
feel free to upvote https://forum.vivaldi.net/topic/24165/automatically-attempt-to-make-https-connections

swiggi

@derday Thanks it's 'ed

I hope someone at @vivaldi will spin the wheels on this, since it's a pretty big thing what a user meets every time he or she visits a web site by typing the url in the address bar. @pafflick maybe?

Kobi

@pafflick said in Why does the browser default to HTTP instead of HTTPS?:

@swiggi said in Why does the browser default to HTTP instead of HTTPS?:

why would any serious web site be run on http?

I guess it's a question you should ask webmasters of those websites. I know it's not a frequent case these days, but if a website doesn't exchange any sensitive data with the user (a read-only kind of site), why would its webmaster care about going through all the hassle of adding/maintaining an SSL certificate?

Anyway, I believe other browsers also default to HTTP when requesting a page, so it's a broader issue...

This is false, HTTPs has been being enforced for a good while now, and is considered a security risk to go on HTTP websites.

You even get big red banner warning not to enter a website when it not under HTTPs.

Catweazle

@kobi , I also got seeveral times a red banner in Https pages and also I know a lot of pages Http complet secure, most from OpenSource which devs don't have the money to pay a certificator simply forgot it.
Currently, as I said, Https isn't a guarantee of security, that depends on other factores as a certificate that everyone can buy, also these with bad intentions.
Because of this, Google in the past speaks about to eliminate it compleatly from the URL.
Nowadays the only possibility is to check a unknown URL with Virus Total, before entering to stay save, apart with Blacklight to check Privacy issues, if you want (Microsoft homepage even use keyloggers from Tower Data and a big amount of other tracking methodes, more than most others)

Kobi

@catweazle said in Why does the browser default to HTTP instead of HTTPS?:

@kobi , I also got seeveral times a red banner in Https pages and also I know a lot of pages Http complet secure, most from OpenSource which devs don't have the money to pay a certificator simply forgot it.
Currently, as I said, Https isn't a guarantee of security, that depends on other factores as a certificate that everyone can buy, also these with bad intentions.
Because of this, Google in the past speaks about to eliminate it compleatly from the URL.
Nowadays the only possibility is to check a unknown URL with Virus Total, before entering to stay save, apart with Blacklight to check Privacy issues, if you want (Microsoft homepage even use keyloggers from Tower Data and a big amount of other tracking methodes, more than most others)

If you getting big red banners on HTTPs, you clearly need to check your certificate store and what websites you trying to enter.

Google removed HTTPs from the link, cause is enforcing HTTPs with no support for HTTP.

Catweazle

@kobi , as you say, depends of the certificate of the page, a certificate that also can buy a page with malware to show a https in tje URL.
In the past was a guarantee of security, but currently it isn't. I can put here several pages insecure Https and others with http without problems, despite it show not secure in the adressbar. f.Exmpl. te known old OpenSource Browsergame OpenLara
VT analysis

VT analysis of a Https page I tried some days ago, also seen dozends of worse ones.

If you don't know a link, don't trust the Https, most phising pages put a Https in the URL, because of this are filters in the ad and trackerblocker, not by Http or Https.

Kobi

@catweazle said in Why does the browser default to HTTP instead of HTTPS?:

@kobi , as you say, depends of the certificate of the page, a certificate that also can buy a page with malware to show a https in tje URL.
In the past was a guarantee of security, but currently it isn't. I can put here several pages insecure Https and others with http without problems, despite it show not secure in the adressbar. f.Exmpl. te known old OpenSource Browsergame OpenLara
VT analysis

VT analysis of a Https page I tried some days ago, also seen dozends of worse ones.

If you don't know a link, don't trust the Https, most phising pages put a Https in the URL, because of this are filters in the ad and trackerblocker, not by Http or Https.

You seem to misunderstand the purpose of HTTPs, is not to stop malicious websites, but to encrypt your traffic.

Catweazle

@kobi , yes, I understand, but encrypted conection is relevant in pages where you put personal information, not so in pages, like the mencioned Game, or sites like Wikipedia or similar. Pages like your Bank, apart of Https have other protections, what you can see in the Adress bar.

What I mean is that only Https isn't anymore a guarantee of security. For phising or malware is irrelevant a encrypted conection or not.
It's good to encrypt messages between your friends, family, company or mail, there is the only moment where Https is important to avoid that private information can be intercepted by others, but irrelevant between you and a page with malware. Because of this you have the aditional protection by the browser, extensions, DNS or any encryptation and security soft who put a red flag in contaminated pages Https and Http.

pafflick

@kobi said in Why does the browser default to HTTP instead of HTTPS?:

This is false

Can you point out which part you think is "false" exactly?

@kobi said in Why does the browser default to HTTP instead of HTTPS?:

is considered a security risk to go on HTTP websites.

Could you please elaborate on how exactly is going to an HTTP website considered a "security risk" if the user is not sending any data to said website?

@kobi said in Why does the browser default to HTTP instead of HTTPS?:

You even get big red banner warning not to enter a website when it not under HTTPs.

Not sure which browser shows "big red banners", but I tried opening one such website in Edge, and it just shows a warning on the URL bar but connects with the site fine otherwise.

Catweazle

Big red banner like this one in Https

Another tested downloads from a Https site (one of the worst I know)
https://www.virustotal.com/gui/file/75b209b3bb747037792b6c7a10a0a123fab23ed4ed17b937c240ddc45ff8f6ee/detection

Marylin

This post is deleted!