Mastodawn

EDIT: seems to depend on the version. I tested it on 135.x on Debian, another person tested it on unspecified but probably newer version on macOS. Others report other behaviour. Weird.

---

Yes, this happens also in Chromium.

No idea when the change was made, I don't usually use Chrome/Chromium. Might have been years, in fact. I am not saying this is new, I am saying this is dumb.

No, it does not happen in Firefox.

The reason this bugs me is because this does very little to enhance anyone's security today, while at the same time it flat-out refuses to do what the person using the software explicitly told the software to do.

Compare with the "expired certificate" warning. User's intent is to visit a HTTPS site, but the HTTPS is broken due to expired cert. This can also be an attack. Makes perfect sense to have a scary warning!

Here, user's intent is to visit a HTTP site. HTTP is working. But nope!

Yes, HTTP is not secure. Most sites should really just switch to HTTPS – but newsflash, they already have!

Making it impossible to visit pure HTTP sites means that plenty of old sites, which might still have plenty of value today, become simply inaccessible.

At the same time, if a user clicks on a HTTP phishing link, they might just as well click on a HTTPS phishing link. 🤷‍♀️

Can I come up with a hypothetical scenario where this kind of forced scheme change saves someone from a an attack? Sure I can!

gmail[.]com DNS is hijacked in $COUNTRY. Alice clicks on a http:// link to gmail[.]com, and reaches a phishing site. Provides credentials, game over. Force-switching to https:// thwarts the attack.

You know what else thwarts the attack? HSTS – not the first time Alice visited gmail[.]com. Plus, that domain is 100% on the HSTS preload list.

Also, DNSSEC could help.

The hijacked site might be less popular and not on HSTS preload list, sure. But then the pay-off is way smaller for the attacker – is it worth hijacking DNS?

The attacker also *still* has to navigate HSTS headers probably already cached in the browser.

I simply don't see how forcing HTTPS directly by the browser meaningfully improves security for anyone.

But I can see how it makes a large part of the old Web inaccessible.

So, #FuckGoogle.

silmeth 🇺🇦May 7, 2025

@rysiek Makes also quick local testing when you start your own server on localhost, or try to log into some behind-NAT local admin pabel, etc. impossible.

I don’t want to issue self-signed certs for private IPs for one-off temporary services only to have the browser allow me to visit them.

Brett Sheffield (he/him)May 6, 2025

@rysiek "while at the same time it flat-out refuses to do what the person using the software explicitly told the software to do"

Exactly this. I expect software to do what I ask of it, not try to interpret my intent.

https://support.mozilla.org/en-US/kb/https-first

draeath May 6, 2025

@rysiek for clarity re: Firefox

It can actually do this if you want it to, but the default is, I believe, to try https first and quietly fall back unless the user specified http.

This is new behavior and seems like a sane way to do it, too.

HTTPS-First upgrades to secure connections | Firefox Help

From version 136, Firefox implements HTTPS-First and always attempts to connect securely. If a secure connection fails it falls back to an insecure connection.

cwicseolfor (has moved!)May 6, 2025

@draeath @rysiek I want to say prior versions had a settings toggle to do this by default or not and post a warning with a click-through whenever the https wasn’t available.

kajer :notverified:May 6, 2025

@cwicseolfor @draeath @rysiek about:config has an option for this but in my experience with how Mozilla did this it quickly tries http before switching to https. I have a few internal http sites and it generally tries 80 when I want it to.

Chrome completely bypassing any attempts on the url is dumb. At least Mozilla seems to try/warn first.

Does passing :80 as part of the URI work? I haven't used chrome for years...

superbeelavaman May 6, 2025

@kajer iirc, chrome just slices off the :80 when you have it in the address bar, before it does anything else with the url, meaning it won't even remember that you included that in the address bar

Ge0rG May 8, 2025

@kajer
Firefox trying :80 briefly before switching to https is a well intended feature that backfires every single time you reboot an embedded device. Reloading too quickly silently moves you to a port that will never listen. There should be an anti HSTS of sorts...
@cwicseolfor @draeath @rysiek

kajer :notverified:May 8, 2025

@ge0rg @cwicseolfor @draeath @rysiek

firefox/librewolf have this thing where you can change settings under the hood.

Try changing browser.fixup.fallback-to-https to false and try again.

Yes, this is global and not exclusive to your ONE dev thing you need constant http:// on, but hey, you're an adult and can make your own bad decisions. (that's a good thing)

draeath May 8, 2025

@kajer @ge0rg @cwicseolfor @rysiek you can always use the profile manager to keep a separate profile for that sort of thing. It's not a feature people use often, so easy to overlook.

Maya May 6, 2025

@draeath @rysiek Firefox supported HSTS in an annoyingly correct fashion for a while, while Chrome didn't, so even if you had that 'HTTPS-only' or 'automatically upgrade' options disabled you could find your HTTP connection to a subdomain resource being upgraded to HTTPS if the HSTS policy on the parent domain has includeSubDomains.

This broke internal websites at my $DAYJOB.

@Mayabotics What do you mean? According to RFC 6797 there are only two options for HSTS, the maximum age and include subdomains. So how did Chromium work incorrectly if it applied the policy to all subdomains if specified?

@draeath @rysiek

Maya May 7, 2025

@waldi @rysiek @draeath At the time, Chrome wasn't honoring includeSubdomains for the internal subdomains that I tested, while Firefox was. (I remember it driving me nuts for months, because the affected internal URLs would be force upgraded to HTTPS and then fail to load in Firefox if I used their FQDN, while relative hostnames would allow HTTP access.)

Oddly I'm now seeing the opposite behavior when I just checked, so I suspect there is either some nuance to HSTS policy querying & caching that I'm unaware of because I don't regularly work with web tech, or our IT department has been trying different browser policies over the past year. (Or both.)

sijmen May 6, 2025

@rysiek You can also make Firefox behave kind of like this, but it does have a proper error message allowing the user to fall back

@vijfhoek yup! I'm on the fence about this particular implementation, but it is definitely way more acceptable and sane than what Chrome/Chromium is doing!

sijmen May 6, 2025

@rysiek the only real problem I've had with this was that the http-to-https redirect broke for some website I was maintaining, just showing a plain text "404 page not found", and I didn't notice until a user told me weeks later

spstanley May 6, 2025

@rysiek @davepolaschek Google claims Chrome has done this since 2020, and it takes extra work to get it to stop doing that for localhost. Side note, Chrome has been banned in our workplace due to security issues involved in using Chrome. 😂

@spstanley lol. Yeah, I don't usually use Chrome. This just came up because somebody else stubbed their toe on this.

@davepolaschek

Spoon May 6, 2025

@spstanley @rysiek @davepolaschek I would like to know more details here, if you don't mind sharing: what kind of issues? I like to have concrete examples to leverage when pushing against use of Chrome.

Stephen Borrill May 6, 2025

@rysiek I've just tried and it's not doing it for me (Windows 10, Chrome 136) - even for https sites with HSTS

I did have something very similar with Firefox though. It sometimes caches that it has done this and then will persistently do it in future. I have an internal http-only site and one day it decided to always switch to https (unless I accessed by IP address). What I did was to to reset site settings (which lost auto-complete, etc.).

@sborrill interesting. I am going to guess there is a setting somewhere, which might have gotten disabled.

I tested this on a pure Chromium install with no manual overrides.

Lazarou Monkey Terror 🚀💙🌈May 6, 2025

@rysiek so glad I switched to Vivaldi a few months ago. Never looked back.
#Vivaldi

ThePfromtheO May 6, 2025

@Lazarou @rysiek
I tried this in #VivaldiBrowser and didn't have any problem
For example, found on the Internet that http://darksouls.wikidot.com/ uses http, and I was able to access it.
There happened nothing the OP said that 𝘸𝘰𝘶𝘭𝘥 𝘩𝘢𝘱𝘱𝘦𝘯.

Dark Souls Wiki - Dark Souls Wiki

ThePfromtheO May 6, 2025

@Lazarou @rysiek
And the same thing in 𝗣𝗨𝗥𝗘 𝗖𝗵𝗿𝗼𝗺𝗲
@rysiek did you tweak a setting, maybe?

@ThePfromtheO @Lazarou nope, I was using default settings in a clean VM.

And that's after a person independently reported it to me as a problem.

ThePfromtheO May 6, 2025

@rysiek @Lazarou
Maybe it was a Chromium version we don't have yet? #VivaldiBrowser needs about two weeks to remove the #Google crap from the #Chromium code so they can update the #browser to the latest Chromium version.

@ThePfromtheO @Lazarou no clue, honestly. I'd have to check which version it was, but it's not the bleeding edge, that's for sure.

0x575446, Fifth Columnist May 6, 2025

@rysiek This would break a bunch of my IoT home automation hardware that only serves HTTP from the device firmware. Why the hell would I bother with HTTPS for a whole bunch of services that I run that aren't available from the WAN side of my router?

Shdwdrgn May 6, 2025

@0x575446 @rysiek I was just thinking about this for common devices like printers or routers -- things that have no business being available on the WAN and likely couldn't have an SSL cert anyway.

Jeremy 🇨🇦May 6, 2025

@rysiek how does this work for local network? Like if I host a small server on localhost, does this try to push me into using HTTPS?

patricus May 6, 2025

@rysiek chrome is a trashy spyware browser anyway try brave instead.

@patricus @rysiek Boah, the Brave that rewrote affiliate links in the browser? And is handled by Nazis?

patricus May 7, 2025

@waldi @rysiek I'd rather use this than google browser

Daniël Franke

May 6, 2025

@rysiek I mean, that's a setting in firefox that I turn on instinctively, and maybe it's good to have that opt-out, is it opt-out?

/mərˈkjʊriəl/May 6, 2025

@rysiek this feels rather anti-selfhost

Bill Zaumen May 6, 2025

@rysiek Banning HTTP is a mistake. Examples: (1) my domain registration provides an HTTP page that simply redirects to an HTTPS one on a different web site. (2) I have a Jellyfin media server running in a Docker container, and it uses HTTP so users can configure it using a browser.. (3) I have some applications I run locally that start embedded web servers, using HTTP, just when I need one. The web servers are not accessible outside my home and are started only when I need them.

Bill Zaumen May 6, 2025

@rysiek Another example of why you want browsers to allow HTTP URLs: I have a graphics editor named EPTS. It can display the manual in a window, but can also start an embedded HTTP web server that allows the documentation to be viewed using a browser. If you don't have Internet access but can set up a wifi hotspot, you can use a second computer to view the documentation.

Xeniac May 6, 2025

@rysiek The WebUI of my Switch only supports #tls1_0. For this reason I disabled #https , because http sites are easier to access via #firefox then unsafe encrypted sites. 😎

Irina May 6, 2025

@rysiek At least Firefox asks "this doesn't resolve, probably because there's only a http:// site, proceed?"

Götz Hoffart May 6, 2025

@rysiek I operate a page that’s only available via HTTP (and has never been on HTTPS). It still loads fine in Chrome 136.0.7103.93 and 136.0.7103.48, so this doesn’t fit to your conclusions that Chrome wouldn’t do that any longer.

Did you try Chrome in a “fresh” environment, i.e. new user, new install?

@goetz yes, in a clean VM.

waldi May 6, 2025

@rysiek Which version?

SpaceLifeForm May 6, 2025

Chrome is a joke.

@rysiek I have ESP32 things on my network that cannot do SSL, and do not need to do SSL. That's so annoying.

@neko @rysiek If you type in the name without http://, it gives you a warning first? Or which behaviour? Because at least for me it is still unclear what the OP saw.

Neko

May 7, 2025

@waldi Sorry if my comment was misleading, I prefer Firefox myself and haven't tried replicating OP's behaviour.