Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
On first connection to a new site (typed without protocol), try https first (bugzilla.mozilla.org)
15 points by amenghra on April 24, 2015 | hide | past | favorite | 7 comments


This will not break anything as it goes to http if no HTTPS is available. I'm french, and with new laws commings up, i'm more than ever deeple concerned about privacy and freedom of speech. But please remember that HTTPS don't hide where you are seeking informations from, but only content


This will break some websites that are not configured properly -- for example, a server that has several sites but only one of them uses https. Trying https on the other sites would default to the https in use. I've seen this happen on some servers we run internally.

In short, there's no way to know if you're actually seeing the correct https version of the site.


Ok yes you are right, this might break some unproperly configured servers (i also regulary see websites that goes to admin panels when trying to access to secure http), but this while probably last only few weeks or months before the majority of websites fixes it. Anyway, i think this is a good thing, we should have switch to full HTTPS a long time ago and this feature might help.


I assume that's not many sites. And in any case: their configuration is broken, so it'll be time to fix them.

It'll probably be no more than a month before everyone catches up.


I wonder how many websites this will break. A few times in the past I have tried seeing if websites support https and been served a default Apache page or something instead. Still, the more encrypted traffic the better.


I've been using https://www.eff.org/https-everywhere since 2011 (Firefox 3.6 back then) and only rarely see sites that serve a default page or stall with https.

That's anecdata, but to get good data one would have to try to fetch & compare results from both protocols for many websites - perhaps Google or the Internet Archive has done this?

The biggest annoyance for me in using https preferentially is that I often end up with multiple bookmarks for the "same" page, which differ only in their protocol - it would be nice if there were an auto-magic way to upgrade the old http bookmark to the https protocol.


That's because HTTPS Everywhere doesn't blindly attempt HTTPS connections, it redirects based on a massive set of rules. That's also how it accounts for more complex changes than just the protocol portion of the URL, like adding an encrypyted. or ssl. subdomain.

You can see all the rulesets here: https://gitweb.torproject.org/https-everywhere.git/tree/src/...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: