this post was submitted on 16 Aug 2023
85 points (90.5% liked)

Technology

55940 readers
4057 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago
MODERATORS
L3s@lemmy.world
enu@lemm.ee
fry@fry.gs
L3s@fry.gs
enu@lemmy.world
L4s@fry.gs
L4s@lemmy.world
85
Chromium Blog: Towards HTTPS by default (blog.chromium.org)
submitted 11 months ago by Spotlight7573@lemmy.world to c/technology@lemmy.world
32 comments fedilink hide all child comments
 

cross-posted from: https://lemmy.world/post/3301227

Chrome will be experimenting with defaulting to https:// if the site supports it, even when an http:// link is used and will warn about downloads from insecure sources for "high-risk files" (example given is an exe). They're also planning on enabling it by default for Incognito Mode and "sites that Chrome knows you typically access over HTTPS".

you are viewing a single comment's thread
view the rest of the comments
[–] lily@shinobu.cloud 10 points 11 months ago (2 children)

It does specifically say "defaulting to https:// if the site supports it", so I think specifying http will still work if the site doesn't actually support https.

[–] Valmond@lemmy.mindoki.com 5 points 11 months ago

Got a message back from Https, let's switch!

The message:

"Internal nginx routing error."

[–] dust_accelerator@discuss.tchncs.de 2 points 11 months ago* (last edited 11 months ago)

No testing a server side http-to-https upgrade/redirect without reconfiguring your browser. This seems like an unnecessary and bad idea.

This could be easily done better by promoting such server-side configurations as a default.

I mean, why should the browser attempt to correct inappropriately configured servers? Shouldn't they rather be making PRs to NGINX/Apache/CAs or whatever?

Also: can't this be exploited to spoof an unavailable HTTPS and coerce an unencrypted connection?