There's no link to more technical detail. What happens when the site I type in the URL bar doesn't support HTTPS? Will it error out? (with a timeout?) Or will it automatically fallback to trying HTTP? (In that case, could a MITM block HTTPS to force the browser to try to downgrade?)
EDIT: I see that the article says it will fall back, but Chrome Canary has options in chrome://flags, and it's not clear which option they picked.
> Omnibox - Use HTTPS as the default protocol for navigations
> Use HTTPS as the default protocol when the user types a URL without a protocol in the omnibox such as 'example.com'. Presently, such an entry navigates to http://example.com. When this feature is enabled, it will navigate to https://example.com if the HTTPS URL is available. If Chrome can't determine the availability of the HTTPS URL within the timeout, it will fall back to the HTTP URL.
The options are: Enabled, Enabled 3 second timeout, Enabled 10 second timeout, and Disabled.
I've found http://neverssl.com very helpful for captive portals. It does what you'd expect - hosts a HTTP-only page that allows captive portals to work correctly.
Since it's only ever HTTP, it sidesteps the certificate errors or HTTP downgrades that normal sites are hit with during captive portal interception.
I am curious what happens to captive portals as HTTPS adoption rises. Some OS's (Android, OSX) already detect captive portals and launch a lightweight webview.
Yep, I use neverssl.com, when I remember it. Though, mostly I use example.com, since that works without SSL as well. I guess now I'll need to remember to type http://example.com .
Based off my experience, more and more captive portals appear to be letting the requests the OS makes to captive.apple.com or whatever through but still try to present a captive portal to the user. I can guess as to the motivation, but as a user it's danged annoying.
It might still be an issue, but this is still a huge improvement. If the browser is going to pick a protocol on behalf of the user, it ought choose a stronger protocol first.
If the browser chooses the stronger protocol it should force the user to opt-in to any fallback behavior which might downgrade security. The current behavior of the browser in most cases is if you enter an 'https' url and the request fails or the cert is invalid you get a failure or warning message. I'd like to see this behavior kept in this case. It communicates what the browser is doing instead of silently downgrading the protocol based upon fuzzy failure signals.
Its a shame but I wish the insecure protocol name was not a prefix of the secure protocol name. Its so easy to miss the 's' and for things to just work for the wrong reason. I guess we have Netscape and Microsoft to blame for this one.
That is a stupid idea, forcing https on people’s throats is a stupid idea generally speaking but it wouldn’t have been that bad if it hadn’t been forced on many people by what is basically a monopoly by this point.
I really don’t get this opinion. The internet isn’t secure — the public internet is by definition an untrusted network assumed to be malicious and openly hostile. There is no safe way to use unencrypted connections on the public internet. None. Doesn’t matter if you are a good admin on your local network, doesn’t matter if you have a good ISP, you have zero guarantee the network path your packets will take and who has the opportunity to observe and modify them.
Look I get it. It’s no fun when the whole class is punished because because bad actors exist. And it’s no fun when someone pressures you into doing something for the benefit of others but not yourself. But the internet is really really different from 20 years ago.
HTTPS is such a scam. It's an obvious ploy to conquer the last corners of the web not yet under corporate control. But apparently calling it "Let's Encrypt" instead of "Let's make your website technically dependent on a Google/Mozilla/Amazon/Facebook-controlled service" is enough to fool people.
It's totally obvious to me that, once HTTPS is mandatory, the next step will be that Let's Encrypt will stop supporting websites that disobey their "content policy" or whatever. It will follow the usual course. First outright illegal things. Then today's "deadly sins" like racism. Then unpopular politicians. And then, whatever they want.
You are literally making a random organization into the censor of the web.
While there are a finite number of trust providers in the HTTPS signed certificate model, "Let's Encrypt" isn't the only one.
But, yes, HTTPS is a trust-rooted security model. It's hypothetically possible to have every cert provider decide you're not trusted. That's kind of in the category of "It's hypothetically possible to have every DNS provider decide you're not trusted" though.
If this is a concern, the solution is probably to come up with an HTTPS modification that allows for decentralized trust, not to set up the average use case of the web to "The user is trusting every machine between their client and the server to be reading their traffic and not acting maliciously on it." Tradeoffs, right?
> What happens when the site I type in the URL bar doesn't support HTTPS?
The article says: "For sites that don’t yet support HTTPS, Chrome will fall back to HTTP when the HTTPS attempt fails."
Yes, a MITM could block this access. This would be an active attack and thus detectable, which is fine if you're the Great Firewall and your existence is government policy but likely to be a problem for some other types of attacker.
In the passive attack case this is strictly better (previously a passive on-path attacker gets to see all the unprefixed URLs typed into a Google that didn't match an HSTS rule it knew, and with this change they do not) in an active attack nothing changes.
"For sites that don’t yet support HTTPS, Chrome will fall back to HTTP when the HTTPS attempt fails."
I hope the slippery slope stops here though and HTTP will not be eradicated in browsers (in which case one would need corporate permission and approval to publish anything).
s_client or curl are not a suitable workarounds for the masses ...
EDIT: I see that the article says it will fall back, but Chrome Canary has options in chrome://flags, and it's not clear which option they picked.
> Omnibox - Use HTTPS as the default protocol for navigations
> Use HTTPS as the default protocol when the user types a URL without a protocol in the omnibox such as 'example.com'. Presently, such an entry navigates to http://example.com. When this feature is enabled, it will navigate to https://example.com if the HTTPS URL is available. If Chrome can't determine the availability of the HTTPS URL within the timeout, it will fall back to the HTTP URL.
The options are: Enabled, Enabled 3 second timeout, Enabled 10 second timeout, and Disabled.
So how will it work, exactly?