V 6.7 | Forces HTTPS
-
@yngve The fact remains that there's probably hundred thousands of small misconfigured sites like this one out there - where it's listening on 443, has a valid certificate but simply does not work properly because the admins have made some mistake in the setup.
But users have their bookmarks pointing to HTTP, and they need to check their local weather. They have absolutely zero interest that HTTP is "insecure", that their ISP and every intermediate router can see their data or there's a risk for a MITM attack (not that they know what that is anyway).
They never look at the address bar and wouldn't even know what the padlock signifies. They just want to check their weather report.
And they install Vivaldi, they try their usual sites and it breaks.
Then they try in Chrome or in their system default browser (Edge in most cases), it works fine there and they just conclude that Vivaldi is broken and loses a user. -
@Pathduck said in V 6.7 | Forces HTTPS:
They just want to check their weather report
-
The Settings → Address Bar → Security Features → Always Use Secure Connection (HTTPS) is completely nonsense for me as, it does not deactivate the Forced HTTPS
When Vivaldi does uses forced HTTPS, i fear that users will use an other browser as Ungoogled Chromium, Edge, Firefox or Brave or leave Vivaldi as their browser.
-
@Pathduck said in V 6.7 | Forces HTTPS:
@yngve The fact remains that there's probably hundred thousands of small misconfigured sites like this one out there - where it's listening on 443, has a valid certificate but simply does not work properly because the admins have made some mistake in the setup.
There's an old IETF saying, which used to be a philosophical foundation of internet communications:
"Be strict in what you send, permissive in what you will receive"
The "least damage" attitude to global communications.
Nowadays we have the web browser "ecosystem" nannying us to the "lowest common denominator" of user which would literally punch themselves in the face all day long with their ignorance of the online world, and the internet clients thus dumb the whole process down as if everyone is one of those people. "For their own safety".
Over the last few years I lost count of how many online services "for my safety" forced all sorts of new draconian but effectively pointless or worse than pointless "security theater" measures on my longstanding old accounts that had never had a breach or security issue in decades of ownership. In some cases these measures literally resulted in those accounts getting deleted or wiped because I didn't discover until after the short transition period that if I didn't flip some button or tick some box they would just assume I was dead and delete all my stuff I had collected there over the years over it.
Just lovely.
-
@yngve Yes, Vivaldi uses Foreced HTTPS.
But please explain why that happens with FQDNs which have a domain but not with hostnames?
In my LAN the URLmywebserver
orhttp://mywebserver
is not redirected tohttps://mywebserver
But the last has SSL, but not HSTS!
Behaviour of Vivaldi is not really consistent for me. -
@DoctorG said in V 6.7 | Forces HTTPS:
Always Use Secure Connection
IIRC, and as I have mentioned before, that one takes second place to the HTTPS First now.
-
@DoctorG said in V 6.7 | Forces HTTPS:
In my LAN the URL mywebserver or http://mywebserver is not redirected
At present it seems that Chromium is excluding non-unique hostname (no domain, or not a registry controlled TLD) from HTTPS First. This seems conditioned on feature HttpsFirstModeV2ForTypicallySecureUsers, which is currently disabled by default.
-
@yngve Ah, a internal exlucsion of unknown TLD and hostnames, that explains why that works in Vivaldi.
Thanks for background information -
@Pathduck Something like that, yes. In this case the webpage is mine, although I did not construct it. Some kind soul, another weather enthusiast, programmed everything and even made it user friendly so I and many others could set it up with the many blocks available.
I am simply lacking the necessary knowledge to make the site work as it should - securely. Obviously, there is something wrong, an error somewhere but so far I was unable to find it.
Anyway, thanks for trying to help, I'll keep on digging and hopefully learn a thing or two in the process.
-
Just tested the weather station page yesterday on Linux and Windows (tested with fresh install/profile).
The results:️Never ending load with:
- Vivaldi 6.7.3329.19
- Vivaldi 6.7.3329.21
Loads and does not force Https:
- Chrome 124.0.6367.91
- Chrome Beta 125.0.6422.14
- Chrome Unstable 126.0.6439.0
- Chromium 124.0.6367.78/79
- Edge 124.0.2478.67
- Firefox 125.0.2 (64-Bit)
-
Now the site fails to load completely with Chromium 124.0.6367.119, too.
Oh, works again 124.0.6367.119 Win 11.