Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

For new sites that is definitely practical. Modern versions of Chrom{e|ium} & Firefox (and other browsers based on them) have defaulted to HTTPS when the protocol is not specified. The only potential issue is if users do specify the protocol and leave the S out, it would be good for browsers to try HTTPS when HTTP fails (though only if it completely fails to connect).


> Modern versions of Chrom{e|ium} & Firefox (and other browsers based on them) have defaulted to HTTPS when the protocol is not specified.

This is not true but it would be nice if it was.

https://news.ycombinator.com/item?id=46443199


Hmm. I am perhaps confusing announced plans, and the effect of the HSTS preload lists, with actually released changes to defaults.

I'll have to install some fresh VMs and see what behaviour I get out-of-the-box with no HSTS cache (and sites not on the preload lists) on various OSs, to correct my understanding.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: