Consider disabling HTTPS auto redirects

This is really misleading and potentially dangerous. Details:<p>* Even on static sites, HTTPS prevents a MITM from telling what pages you&#x27;re reading, or introducing falsehoods into the content. It&#x27;s not &quot;overuse&quot; to use HTTPS there.<p>* I don&#x27;t know how the author&#x27;s server is set up, but a 1-second increase in page load time isn&#x27;t consistent with load times I&#x27;ve ever measured anywhere else. In fact, there&#x27;s a lot of HTTPS pages where the <i>total</i> load time is less than what&#x27;s claimed as the <i>difference</i> here.<p>* If you care about sustainable technology, you should be demanding that Apple provide updates for hardware longer, or open-source everything so that the community can. Whether or not the sites you want to visit use HTTPS, using the Internet from a system years behind on security patches is a really bad idea, and not something you should optimize for.<p>* The specific suggestion of disabling the redirect is exactly equivalent to a MITM attacker running sslstrip, so you&#x27;re doing a big piece of the bad guy&#x27;s job for him.

Not a compelling argument in the least. MITM still means ISPs can track and inject ads, regardless of how static the content is on your website. And the performance argument is completely invalid because it&#x27;s only measuring total bytes, and doesn&#x27;t consider HTTP&#x2F;2 multiplexing.<p>&gt; It should be mentioned that my personal website is also plain text based and tiny. Imagine the impact of a blog article or research paper with significantly more content.<p>The larger the website, the <i>greater</i> the improvement from using HTTP&#x2F;2 (which requires TLS). And it doesn&#x27;t take much data at all to offset that TLS lookup.<p>This post is justifying bad behavior. The only sites that can afford to remain http are neverssl.com and local development.

One thing that these types of articles always miss is that HTTPs isn&#x27;t just there to protect user data being submitted to your website. It&#x27;s also there to make sure that the data you&#x27;re looking at wasn&#x27;t modified by a 3rd party without your consent.<p>The fact that someone technical has missed it this is a really good argument for redirecting users from HTTP to HTTPS.

I think there are few excuses left for not having https on your website. Having the option of having an http only variant of your website should likewise not be a thing. A redirect is better than a not found error. IMHO those are the two valid responses for a public http website (go away, or go here instead).<p>As for &quot;updated browsers&quot;, anything that doesn&#x27;t support https (or redirects) in 2022 is not fit for use on the modern internet. Most of the web would in any case be unusable with such a browser already. And essentially everything that shipped in the last 20 years or so would be able to deal with this (with the exception of handling newer TLS versions perhaps). You&#x27;d be well advised to not use a browser that hasn&#x27;t been updated for that long.<p>If somehow you are using such a browser (why?!), you might want to fix that ASAP. Meanwhile, I&#x27;ll blindly assume the intersection of those users and this audience (hacker news) is extremely small to non existent. If that intersection exists at all, it&#x27;s probably for some esoteric reasons that have nothing to do with an inability to fix the actual problem (like fixing your browser setup) and is by choice rather than by circumstances. Either way, your problem to solve and not something to waste energy on for website maintainers looking to do the right thing.

That is a pretty weak argument for why we should sacrifice privacy. We should continue moving in the opposite direction. Ideally, within 5 years, browsers should send up warning flags whenever the user hits a website that <i>doesn&#x27;t</i> use HTTPS.<p>They had to go back 20 years to find a browser that does not support TLS. Software that old is going to have other fundamental problems accessing the modern web. The amount of work necessary to make every website actually work on a browser that old is far, far greater than just supporting HTTP.

So the argument is https has too much overhead and excludes those who cant use updated browsers? Unless I missed it, the article doesn&#x27;t discuss mitm, nonrepudiation or censorship&#x2F;privacy concerns.

&gt; Let’s take an example of the Powerbook G4, which was released in 2002.<p>&gt; So why force users to toss away perfectly viable devices<p>If it can&#x27;t do secure connections, it&#x27;s not a perfectly viable device.

There are a lot of ISPs, even consumer wifi gateways that mess with unencrypted traffic. HTTPS is the only way to ensure that the data served is what the user received.

Using HTTPS by default has obvious security benefits, but it&#x27;s not clear we need a redirect to implement it. We could have leveraged the Alt-Svc header for this instead, which is meant specifically for this. This would allow modern browsers to use HTTPS without preventing older browsers which want to use HTTP from doing so (at their own risks).

&gt; increases it’s overhead by almost 100%.<p>3.8&#x2F;2.9 kB is a 31% increase.<p>1.16&#x2F;0.62 s is an 87% increase.<p>But okay, let&#x27;s round up to 100%.<p>The article is citing a page that counter-argues this:<p>&gt; Sites with modern servers load faster over HTTPS than over HTTP because of HTTP&#x2F;2.<p>&gt; <a href="https:&#x2F;&#x2F;istlsfastyet.com&#x2F;" rel="nofollow">https:&#x2F;&#x2F;istlsfastyet.com&#x2F;</a><p>---<p>&gt; But what about sites like <a href="https:&#x2F;&#x2F;doesmysiteneedhttps.com" rel="nofollow">https:&#x2F;&#x2F;doesmysiteneedhttps.com</a>? While this website makes a few valid points, it still relies heavily on “fear tactics” that honestly don’t apply for the vast majority of users. It’s overkill.<p>Sorry, but not good enough.<p>1. &quot;a few valid points&quot;: you avoid making your visitors liable in oppressive environments (employers, regimes), you avoid very real content injection (commercial or malicious), and you give the visitor a way to know that content wasn&#x27;t tampered. That&#x27;s a few valid points. (The rest are counter-arguments.)<p>2. &quot;fear tactics&quot;: not true. Protecting the integrity of your visitors and your content is nurture, not fear.<p>3. &quot;don’t apply for the vast majority of users&quot;: by making HTTPS standard at practically no cost, you make it work for those for whom it matters. Just because I feel safe on Hacker News doesn&#x27;t mean that any visitor who goes here will be treated fairly by reading my message.

Pervasive traffic monitoring is an attack and it is an attack being carried out in massive scale. I believe HTTPS is the most meaningful and available method out there to stop this attack.<p>If your website does not support using HTTPS you are an accomplice in pervasive monitoring.

Article suggests to use Httpseverywhere but it is being deprecated <a href="https:&#x2F;&#x2F;www.eff.org&#x2F;deeplinks&#x2F;2021&#x2F;09&#x2F;https-actually-everywhere" rel="nofollow">https:&#x2F;&#x2F;www.eff.org&#x2F;deeplinks&#x2F;2021&#x2F;09&#x2F;https-actually-everywh...</a>

I pretty much wholeheartedly disagree with this. HTTPS provides confidentiality, but it also provides integrity, which is arguably much more important for many cases. If you’re browsing around on an older (perhaps unpatched) machine, a plaintext HTTP website can easily have malware embedded in it by another person on the wifi network (with ARP spoofing or whatever). It can also have incorrect links (see sslstrip) that impersonate other websites. It used to be that a major UK bank didn’t use HTTPS for their homepage, only for their online banking application. You would probably think this is fine, but it’s trivially easy to replace the link to said online banking application with one that MITMs you.<p>Requiring HTTPS also provides another benefit, which is that it stops downgrade attacks. If your site is available in plaintext, I can just block access to the secure version in order to do my nefarious business. The internet is a nasty place these days.

Plain HTTP is synonymous with trust. In an ideal world where no one would snoop or mangle responses, it should be enough.<p>In our still-imperfect world with potential MITM attacks, sometimes that trust is not warranted. However, one still should be able to choose to trust own connection. I don’t want this choice to be made for me with no way to appeal.

One way to manage this is to use HSTS to send modern browsers to https and leave older browsers to whatever they want.<p>a) put your content on www.example.com because it&#x27;s important<p>b) redirect <a href="http:&#x2F;&#x2F;example.com" rel="nofollow">http:&#x2F;&#x2F;example.com</a> to <a href="https:&#x2F;&#x2F;example.com" rel="nofollow">https:&#x2F;&#x2F;example.com</a> because this is required for HSTS preloading. And from there to <a href="https:&#x2F;&#x2F;www.example.com" rel="nofollow">https:&#x2F;&#x2F;www.example.com</a> because it&#x27;s important that your contentful urls be at a domain that isn&#x27;t going to redirect.<p>c) serve hsts preload headers at least for <a href="https:&#x2F;&#x2F;example.com;" rel="nofollow">https:&#x2F;&#x2F;example.com;</a> serve hsts headers for at least <a href="https:&#x2F;&#x2F;example.com&#x2F;favicon.ico" rel="nofollow">https:&#x2F;&#x2F;example.com&#x2F;favicon.ico</a><p>d) set your favicon on all pages to <a href="https:&#x2F;&#x2F;example.com&#x2F;favicon.ico" rel="nofollow">https:&#x2F;&#x2F;example.com&#x2F;favicon.ico</a><p>e) submit to the hsts preloading site<p>f) remove redirects from http to https on www<p>Modern browsers with preload built after your site is added would always use https. Modern browsers without the preload will load whatever the first page they hit as http, but pickup the preload from the favicon and future page loads will be https. Resources from the first load will likely be http, depending on favicon loading timing. There&#x27;s no additional MITM risk for modern browsers, because a MITM could avoid your redirect if an http load is attempted just as well as they could mess with your HTML.<p>Older browsers can still go to the http version, although inbound links are likely to be https, because people like to cut and paste from the URL bar, and most people are going to have a modern browser with your site preloaded. Users of older browsers would need to edit the url in the URL bar, a skill they&#x27;d likely rapidly develop.

Confidentiality should be on by default: not just when you enter your credit card details.

Most modern browsers display a danger warning icon on classic HTTP addresses? Or am I mistaken?

IMO it&#x27;s better to close port 80 entirely because many clients will end up sending unencrypted headers and rely on the redirect, not realizing they&#x27;ve exposed themselves.<p><pre><code> ===&gt; HTTP GET &#x2F;your_api Host: passwordleaker.com Authorization: Bearer 12312312321 &lt;=== HTTP&#x2F;1.0 302 Found Location: https:&#x2F;&#x2F;passwordleaker.com&#x2F;your_api </code></pre> (but note it&#x27;s too late)

&gt; By using HTTPS my website increases it’s overhead by almost 100%. It should be mentioned that my personal website is also plain text based and tiny. Imagine the impact of a blog article or research paper with significantly more content.<p>An extra kilobyte. Wow. Such data transfer. What a dealbreaker.<p>No HTTPS means worse performance, because HTTP 2.0 requires it. HTTP 1.x doesn&#x27;t have connection multiplexing. When I moved my blog to HTTP 2.0, I noticed that it loaded faster, even when on the same LAN as the server.<p>&gt; Helpful Tips:<p>&gt; If users are nervous of links set in standard <a href="http:&#x2F;&#x2F;" rel="nofollow">http:&#x2F;&#x2F;</a> format, they can add s themselves or better yet, use a browser extension like HTTPS Everywhere (highly recommend)<p>HTTPS Everywhere won&#x27;t be supported beyond 2022: <a href="https:&#x2F;&#x2F;www.eff.org&#x2F;deeplinks&#x2F;2021&#x2F;09&#x2F;https-actually-everywhere" rel="nofollow">https:&#x2F;&#x2F;www.eff.org&#x2F;deeplinks&#x2F;2021&#x2F;09&#x2F;https-actually-everywh...</a>

meh. the reason i like HTTPS is it makes it difficult for unscrupulous ISPs to insert ads and code into my pages. and yeah. bad guys inserting nefarious cookies as well.<p>it&#x27;s great the poster hasn&#x27;t had to deal with such problems, and they&#x27;re certainly not universal. but they&#x27;re common enough to just do HTTPS and not worry about it.<p>also... https is adding half a second to load times? pretty sure this is what QUIC and HTTP&#x2F;3 were designed for. or move your content to akamai or cloudfront or cloudflare or whatever CDN you&#x27;re comfortable with.

Say what you will, but HTTPS did kill http compression.