cross-posted from: https://lemmy.world/post/3301227

Chrome will be experimenting with defaulting to https:// if the site supports it, even when an http:// link is used and will warn about downloads from insecure sources for “high-risk files” (example given is an exe). They’re also planning on enabling it by default for Incognito Mode and “sites that Chrome knows you typically access over HTTPS”.

  • LordXenu@artemis.camp
    link
    fedilink
    arrow-up
    19
    ·
    1 year ago

    Pushing traffic to https isn’t the worst thing. My ask would be to have a toggle to disable due to local development or server deployments where http/port 80 is the only choice.

    • LittleLily@shinobu.cloud
      link
      fedilink
      English
      arrow-up
      8
      ·
      1 year ago

      It does specifically say “defaulting to https:// if the site supports it”, so I think specifying http will still work if the site doesn’t actually support https.

      • dust_accelerator@discuss.tchncs.de
        link
        fedilink
        English
        arrow-up
        2
        ·
        edit-2
        1 year ago

        No testing a server side http-to-https upgrade/redirect without reconfiguring your browser. This seems like an unnecessary and bad idea.

        This could be easily done better by promoting such server-side configurations as a default.

        I mean, why should the browser attempt to correct inappropriately configured servers? Shouldn’t they rather be making PRs to NGINX/Apache/CAs or whatever?

        Also: can’t this be exploited to spoof an unavailable HTTPS and coerce an unencrypted connection?