cross-posted from: https://lemmy.world/post/3301227

Chrome will be experimenting with defaulting to https:// if the site supports it, even when an http:// link is used and will warn about downloads from insecure sources for “high-risk files” (example given is an exe). They’re also planning on enabling it by default for Incognito Mode and “sites that Chrome knows you typically access over HTTPS”.

  • dust_accelerator@discuss.tchncs.de
    link
    fedilink
    English
    arrow-up
    2
    ·
    edit-2
    1 year ago

    No testing a server side http-to-https upgrade/redirect without reconfiguring your browser. This seems like an unnecessary and bad idea.

    This could be easily done better by promoting such server-side configurations as a default.

    I mean, why should the browser attempt to correct inappropriately configured servers? Shouldn’t they rather be making PRs to NGINX/Apache/CAs or whatever?

    Also: can’t this be exploited to spoof an unavailable HTTPS and coerce an unencrypted connection?