cross-posted from: https://lemmy.world/post/3301227

Chrome will be experimenting with defaulting to https:// if the site supports it, even when an http:// link is used and will warn about downloads from insecure sources for “high-risk files” (example given is an exe). They’re also planning on enabling it by default for Incognito Mode and “sites that Chrome knows you typically access over HTTPS”.

    • Buddahriffic@lemmy.world
      link
      fedilink
      English
      arrow-up
      26
      arrow-down
      4
      ·
      1 year ago

      Is this just general advice? If so, I agree, but if it’s specific to this, what’s the problem you see with it?

      • thantik@lemmy.world
        link
        fedilink
        English
        arrow-up
        28
        arrow-down
        1
        ·
        1 year ago

        Google has shown that they’re going to go the Microsoft strategy with Browser control. So long as they have majority control, that means they can be as anti-user as they would like, but since everything is downstream of chromium, everyone just basically accepts it. Everything from Google AMP (which was their attempt to take over the web in whole), to their new “Web Integrity API” which aims to lock out any competitors.

        • Buddahriffic@lemmy.world
          link
          fedilink
          English
          arrow-up
          8
          ·
          1 year ago

          Agreed, but to clarify, I was asking if there was an issue with this specific change (always using https if it’s available even if the URL uses http), as it does seem to be a positive that makes me wonder why it’s only happening now.

      • gravitas_deficiency@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        8
        arrow-down
        2
        ·
        1 year ago

        If we have to pick just one reason: WEI. As someone who’s been a professional software engineer for a decade and a half, this has the potential to mutate and ruin the internet at large in ways we’re only beginning to fully explore and understand.

    • Engywuck@lemm.ee
      link
      fedilink
      English
      arrow-up
      2
      arrow-down
      12
      ·
      1 year ago

      I’ll keep using Brave because I like it. Thank you for your concern.

    • Spotlight7573@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      20
      ·
      1 year ago

      It does if you just type in something like wikipedia.org . This most recent change they’re working on is so that a link on a page to:

      http://wikipedia.org will get redirected to https://wikipedia.org if the site supports it.

      This will fix a bunch of old links that are still floating around on various sites, forums, etc and keep people on https, instead of doing the https -> http -> https redirect bouncing around that can happen now.

      • jacaw@lemmy.ml
        link
        fedilink
        English
        arrow-up
        3
        arrow-down
        3
        ·
        1 year ago

        Ah, that’s a great feature. Hope this comes to Brave soon.

        • Synthead@lemmy.ml
          link
          fedilink
          English
          arrow-up
          10
          arrow-down
          1
          ·
          1 year ago

          I disagree. While in practice, this is often the same website, it is a different protocol and a different port. It just happens to use the same DNS address. You’re explicitly giving your browser a FQDN, and it is ignoring it and doing something else.

          I hope this feature can be disabled. Google has been ignoring the W3C and has shipped proprietary, insecure features in their chromium engine for a while now, so it wouldn’t surprise me if they made it permanent 🤷

          • lolcatnip@reddthat.com
            link
            fedilink
            English
            arrow-up
            9
            ·
            1 year ago

            What kind of monster would deliberately serve different content for http and https versions of the same URL?

            • Synthead@lemmy.ml
              link
              fedilink
              English
              arrow-up
              8
              ·
              1 year ago

              I agree. That would be absurd.

              However, I don’t like not having the option of using HTTP if I want to use it. It’s okay if the webserver redirects me, but I don’t like if my browser does it when I didn’t tell it to. I might want this when doing development, port tunneling, VPN stuff, etc. In most cases, it won’t matter, but when it does, it will be a pain in the ass.

              • dust_accelerator@discuss.tchncs.de
                link
                fedilink
                English
                arrow-up
                4
                ·
                1 year ago

                Imagine you want to test your redirect from 80 to 443 when setting up your webserver.

                While I think for the normal user this enhances security by defaulting to HTTPS, however this makes no sense for a browser. This should be enforced server side, the browser is for browsing, i.e. viewing. Not controlling and competing with the server software for competency.

                Chromium is really leaning into bad code practice with the disregard for “separation of concerns”.

                • Spotlight7573@lemmy.worldOP
                  link
                  fedilink
                  English
                  arrow-up
                  2
                  ·
                  1 year ago

                  If it’s enforced server-side, then there’s still an initial connection that is unsecured and can potentially be intercepted/modified before it gets to the redirect from 80 to 443.

            • Valmond@lemmy.mindoki.com
              link
              fedilink
              English
              arrow-up
              1
              arrow-down
              1
              ·
              1 year ago

              I have, and for quite some time when I was trying to set Https up.

              It’s really bad IMO to “decide what the user wants” even if this is both discussable and a very small step, it is a step towards that.

  • LordXenu@artemis.camp
    link
    fedilink
    arrow-up
    19
    ·
    1 year ago

    Pushing traffic to https isn’t the worst thing. My ask would be to have a toggle to disable due to local development or server deployments where http/port 80 is the only choice.

    • LittleLily@shinobu.cloud
      link
      fedilink
      English
      arrow-up
      10
      ·
      1 year ago

      It does specifically say “defaulting to https:// if the site supports it”, so I think specifying http will still work if the site doesn’t actually support https.

      • dust_accelerator@discuss.tchncs.de
        link
        fedilink
        English
        arrow-up
        2
        ·
        edit-2
        1 year ago

        No testing a server side http-to-https upgrade/redirect without reconfiguring your browser. This seems like an unnecessary and bad idea.

        This could be easily done better by promoting such server-side configurations as a default.

        I mean, why should the browser attempt to correct inappropriately configured servers? Shouldn’t they rather be making PRs to NGINX/Apache/CAs or whatever?

        Also: can’t this be exploited to spoof an unavailable HTTPS and coerce an unencrypted connection?

    • Spotlight7573@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      14
      ·
      1 year ago

      I’m not sure which thing you’re referring to.

      If it’s between http and https, the s stands for secure and the connection to the server is authenticated and encrypted.

      • hoshikarakitaridia@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        3
        ·
        1 year ago

        Just to expand on that, it’s a very basic encryption, but it provides a little bit of a safe standard. When ppl talk about “encrypted communication” they usually talk about more than that. For example, apps like telegram use some more advanced encryption iirc.

        • SimplePhysics@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          5
          ·
          edit-2
          1 year ago

          The latest version of TLS (used in the latest version of HTTPS), 1.3, is very secure. Most websites these days support 1.3/128 bits, making it quite hard to crack. One major weakness of HTTPS is that, if a certificate authority is compromised, the hackers can issue certificates for ANY website, which browsers will accept as secure until the certificates are revoked/expired/CA removed from trusted list in browser. This loophole can also be exploited by nation states (forcing the CA to issue certificates).

          If you are doing something really private, use something like Matrix (E2EE mode), Signal, or Telegram (E2EE DM).

          TLDR: Modern HTTPS is incredibly secure, except there is a loophole that nation states and hackers can exploit if they compromise/gain control of an approved certificate authority. If you are doing something you really dont want anyone to find out (top secret files), use an encrypted service that does not rely on the TLS/SSL/HTTPS stack.

          Oh, there was an effort to solve above loophole, I’m not sure if it got anywhere though.

          Edit: the point of my comment is to state that HTTPS encryption isn’t necessarily weak, just the handshaking process has some problems.

          • tabular@lemmy.world
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            Is there a secure option that uses all the features minus the 3rd party certificate parts?

            • SimplePhysics@sh.itjust.works
              link
              fedilink
              English
              arrow-up
              3
              ·
              edit-2
              1 year ago

              No, they were working on a solution a while ago, where a website would list what CA it used so you couldn’t get a random CA to issue a cert, but that effort was abandoned iirc.

  • dan1101@lemm.ee
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    Their Googlebot has been pushing https hard for years. I really don’t see the point for mundane sites with no sensitive or controversial content, but there is no way to fight Google so like a good little site operator I go along if I want to be in Google search results.