When I type example.com
without any scheme into the browser bar and press Enter it is interpreted as HTTP://example.com
, not HTTPS://example.com
. Why? And where are the plans to fix this?
(To be clear, I'm talking only about typed/pasted addresses coming from a "lazy" user, not about software-defined actions such as following scheme-relative URLs, window.location = "url"
etc. And obviously typing/pasting HTTP://example.com
must still work.)
EDIT: As some answers point out sites already can mostly achieve this with redirects + HSTS. The central technical gain would be narrowing the first-connection problem (also addressed by HSTS preload but that can't scale to all sites). I can see how that's a weak justification for breaking things now; what I'm more interested in is whether it's an obvious endgame in 5 years? 10? 20?
I can see several problems on the way to defaulting to https interpretation:
User experience with sites that only work over http. Defaulting to https would show an error but the user usually has no idea whether it should work, i.e. whether this site simply never worked over https or is this a downgrade attack.
If the error page for this situation will contain an easy "did you mean http:...?" link(*), users will get used to clicking that on any site that doesn't work and we haven't gained much(?). And if it's not easy (e.g. user must edit
https
->http
, users won't use such browser.EDIT: I should have clarified that the error indication must be different from explicitly going to an HTTPS address which failed — this scenario is not so much "fail" as "the safe interpretation didn't work". And for starters, even "soft failing" automatically to HTTP with a warning bar on top would be OK.
But I think we still gain 3 things: going to unsecure site is a conscious action, we educate users that unsecure HTTP is not normal, and we put pressure on sites to implement https.
Inconvenience of having to type
http://
in some cases. IMO completely outweighed by convenience of not having to typehttps://
in more cases."Compatibility" with the historical default. I'm not sure if it's enshrined in some standard, but IMO it's clear we'll have to change it some day, so that's not a showstopper.
Politics/economics: the CA system has its issues and browsers might be reluctant to pressure site admins to pay them (if they don't otherwise see value in that). Let's ignore money for a moment and pretend Let's Encrypt free CA has arrived.
I can see why making the change right now can be controversial; what baffles me is why it's not widely discussed as the obvious long-term goal, with some staged plan a-la the SHA-2 certs deprection though maybe slower. What I see seems to assume http will remain default practically forever:
Chrome's move to hiding
http://
in URL bar is a step back. The first step towards https default should have been showing http in red; at some later time eventually move to hidinghttps://
(only showing green padlock)...HSTS moves in the right direction but with cautious per-site opt-in. It's both weaker and stronger — sites opt in to forcing https even for explicit http urls, with no user recourse for errors — but the RFC doesn't even mention the idea that https could be a global default, or that browser default scheme is to blame for bootsrap MITM problem.
I've seen DNSSEC mentioned as future vector for HSTS-like opt-in but again never saw proposals for opt-out...
Also, are there any browsers (or extensions) offering this as an option?