@BleepingComputer : when using untrustworthy networks, use a browser that supports "warn for insecure connections" - and enable it (my advice: do both anyway).

Note that it is near-impossible to redirect an https connection without a certificate error - until said connection has been successfully set up. After that happens, only the target website can redirect the browser.

• Firefox uses a stupid name: "HTTPS-only". That's misleading because it only means that you'll be warned for insecure http connections (which can be enforced and hijacked by an evil twin, when not demanding https).

• Chrome on Android is stupid too: "Always use secure connections" (default: off). Also we'll have to wait one more year for this to become the default: https://security.googleblog.com/2025/10/https-by-default.html.

• Safari on iOS/iPadOS: "Not Secure Connection Warning" (also off by default).

To test: open http://http.badssl.com - your browser should warn you (instead of showing the web page), but allow you to use http.

Important: most browsers will *remember* your choice to allow an insecure connection to a specific website (based on the domain name). The criteria to "forget" such an exception vary per browser.

#AitM #MitM #EvilTwin #HTTPSonly #InsecureConnectionWarning #Firefox #Chrome #Safari

On this matter, the source article for the experimental builds for #HTTPSonly mode by default is here: https://blog.chromium.org/2023/08/towards-https-by-default.html

It's interesting to note that the HTTPS-only mode that #Chrome / #Chromium will provide actually comprises of three main features, one of which is already the default:

• if no protocol like https:// or http:// is typed, default to HTTPS (since 2021)
• HTTPS Upgrades -> if you click on an HTTP page, redirect to HTTPS (if the page exists)
• HTTPS First -> try HTTPS first, show "this page is insecure" message as fallback to go back to HTTP (kinda like HSTS)

(and the insecure downloads thingie, which IMO is pretty minor)

Meanwhile the HTTPS-only mode that #Firefox already ships as a setting and is already enabled by default in Private Tabs has these three features bundled together.