HTTPS by default

120 comments

·October 28, 2025

tialaramex

I have had HTTPS-by-default for years and I can say that we're past the point where there's noticeable year-to-year change for which sites aren't HTTPS. It's almost always old stuff that pre-dates Let's Encrypt (and presumably just nobody ever added HTTPS). The news site which stopped updating in 2007, the blog somebody last posted to in 2011, that sort of thing.

I think it's important to emphasise that although Tim's toy hypermedia system (the "World Wide Web") didn't come with baked in security, ordinary users have never really understood that. It seems to them as though http://foo.example/ must be guaranteed to be foo.example, just making that true by upgrading to HTTPS is way easier than somehow teaching billions of people that it wasn't true and then what they ought to do about that.

I am reminded of the UK's APP scams. "Authorized Push Payment" was a situation where ordinary people think they're paying say, "Big Law Firm" but actually a scammer persuaded them to give money to an account they control because historically the UK's payment systems didn't care about names, so to it a payment to "Big Law Firm" acct #123456789 is the same as a payment to "Jane Smith" acct #123456789 even though you'd never get a bank to open you an account in the name of "Big Law Firm" without documents the scammer doesn't have. To fix this, today's UK payment systems treat the name as a required match not merely for your records, so when you say "Big Law Firm" and try to pay Jane's account because you've been scammed, the software says "Wrong, are you being defrauded?" and so you're safe 'cos you have no reason to fill out "Jane Smith" as that's not who you're intending to give money to.

We could have tried to teach all the tens of millions of UK residents that the name was ignored and so they need other safeguards, but that's not practical. Upgrading payment systems to check the name was difficult but possible.

sam_lowry_

I run my blog in unencrypted HTTP/1.1 just to make a point that we do not have to depend on third parties to publish content online.

And I noticed that Whatsapp is even worse than Chrome, it opens HTTPS even if I share HTTP links.

vhcr

Depend on one less third party, you still depend on the DNS Root servers, your ISP / hosting, domain registry, etc.

MYEUHD

Host an onion website at home using solar energy, and the only third party your website will depend on is your internet provider :)

sam_lowry_

Let's Encrypt pushes me to run its self-updating certbot on my personal server, which is a big no-go.

I know about acme.sh, but still...

michaelt

CAs are uniquely assertive about their right to cut off your access.

My hosting provider may accidentally fuck up, but they'll apologise and fix it.

My CA fucks up, they e-mail me at 7pm telling me I've got to fix their fuck-up for them by jumping through a bunch of hoops they have erected, and they'll only give me 16 hours to do it.

Of course, you might argue my hosting provider has a much higher chance of fucking up....

kevstev

There are dozens of us I guess that care about this kind of thing. I have never really understood the obsession with https for static content that I don't care if anyone can see I am reading like a blog post. HTTPS should be for things that matter, everything else can, and think should use HTTP when it is not necessary.

Depending on yet another third party to provide what is IMHO a luxury should not be required, and I have been continually confused as to why it is being forced down everyone's throat.

IgorPartola

It’s static while you control it. Soon as I MIIT your content it will look to your users like you updated your site with a crypto miner and a credit card form. You can publish your site with a self-signed key if you’d like and only depend on your ISP/web host provider, DNS provider, domain registrar, and the makers of your host OS and web server and a few dozen other things.

ozim

You just clearly don’t understand it is important that no one injects anything into your code while I am browsing it.

With http it is trivial.

So you say you don’t care if my ISP injects whole bunch of ads and I don’t even see your content but only the ads and I blame you for duping me into watching them.

Nowadays VPN providers are popular what if someone buys VPN service from the shitty ones and gets treated like I wrote above and it is your reputation of your blog devastated.

cle

There are good arguments for it, but it's also not a coincidence that they happen to align with Google's business objectives. Ex it's hard to issue a TLS cert without notifying Google of it.

kstrauser

> HTTPS should be for things that matter

If that were the universal state, then it would be easy to tell when someone was visiting a site that mattered, and you could probably infer a lot about it by looking at the cleartext of the non-HTTPS side they were viewing right before they went to it.

kaoD

Just because you don't care doesn't mean nobody cares. I don't want anyone snooping on what I browse regardless of how "safe" someone thinks it is.

My navigation habits are boring but they are mine, not anyone else's to see.

A server has no way to know whether the user cares or not, so they are not in a position to choose the user's privacy preferences.

Also: a page might be fully static, but I wouldn't want $GOVERNMENT or $ISP or $UNIVERSITY_IT_DEPARTMENT to inject propaganda, censor... Just because it's safe for you doesn't mean it's safe for everyone.

bigstrat2003

Agreed. I think that the push to make everything HTTPS is completely unnecessary, and in fact counterproductive to security. By throwing scary warnings in front of users when there is no actual security threat, we teach users that the scary warnings don't matter and they just should click past them. Warning when a site doesn't use TLS is a clear cut case of crying wolf.

Ajedi32

Do you depend on a DNS root server to map your website name to your IP address? That's a third party.

There are ways to remove that dependency, but it's going to involve a decentralized DNS replacement like Namecoin or Handshake, many of which include their own built-in alternatives to the CA system too so if "no third parties" is something you truly care about you can probably kill two birds with one stone here.

cube00

Registrar is the big one, if yours decides to do a Google and randomly ban you and automatically decline your appeal with AI, you're stuffed.

bullen

I made this to redirect HTTPS to HTTP with whatsapp:

https://multiplayeronlinestandard.com/goto.html (the reason for the domain is I will never waste time on HTTPS but github does it automatically for free up to 100GB/month)

shadowgovt

Doesn't that mean that technically, any node in the network between you and your reader can mutate the contents of the blog in-transit without anyone being the wiser (up to and including arbitrary JavaScript inline injection)?

Probably a low-threat security risk for a blog.

bsilvereagle

Yes, hotels were injecting ads on their free WiFi - https://news.ycombinator.com/item?id=3804608

sam_lowry_

I'd be happy if EU outlawed this instead of outlawing encryption.

But indeed, the ability to publish on my own outweights the risk of someone modding my content.

Most of us here read their news from work laptops, where the employer and their MiTM supplier are a much bigger threat even for HTTPS websites.

null

[deleted]

1vuio0pswjnm7

That's a good point to make, IMHO

What is funny about HTTPS is that early arguments for its existence IIRC were often along the lines of protecting credit card numbers and personal information that needed to be sent during e-commerce

HTTPS may have delivered on this promise. Of course HTTPS is needed for e-commerce. But not all web use is commercial transactions

Today, it's unclear who or what^2 HTTPS is really protecting anymore

For example,

- web users' credit card numbers are widely available, sold on black markets to anyone; "data breaches" have become so common that few people ask why the information was being collected and stored in the first place nor do they seek recourse

- web users' personal information is routinely exfiltrated during web use that is not e-commerce, often to be used in association with advertising services; perhaps the third parties conducting this data collection do not want the traffic to be optionally inspected by web users or competitors in the ad services business

- web users' personal information is shared from one third party to another, e.g., to "data brokers", who operate in relative obscurity, working against the interests of the web users

All this despite "widespread use of encryption", at least for data in transit, where the encryption is generally managed by third parties

When the primary use of third-party mediated HTTPS is to protect data collection, telemetry, surveillance and ad services delivery,^1 it is difficult for me to accept that HTTPS as implemented is primarily for protecting web users. It may benefit some third parties financially, e.g., CA and domainname profiteers, and it may protect the operations of so-called "tech" companies though

Personal information and behavioral data are surreptitiously exfiltrated by so-called "tech" companies whilst the so-called "tech" company's "secrets", e.g., what data they collect, generally remain protected. The companies deal in information they do not own yet operate in secrecy from its owners, relentlessly defending against any requests for transparency

1. One frequent argument for the use of HTTPS put forth by HN commenters has been that it prevents injection of ads into web pages by ISPs. Yet the so-called "tech" companies are making a "business" out of essentially the same thing: injecting ads, e.g., via real-time auctions, into web pages. It appears to this reader that in this context HTTPS is protecting the "business" of the so-called "tech" companies from competition by ISPs. Some web users do not want _any_ ads, whether from ISPs or so-called "tech" companies

2. I monitor all HTTPS traffic over the networks I own using a local forward proxy. There is no plaintext HTTP traffic leaving the network unless I permit it for a specific website in the proxy config. The proxy forces all traffic over HTTPS

If HTTPS were optionally under user control, certainly I would be monitoring HTTPS traffic being automatically sent from own computers on own network to Google by Chrome, Android, YouTube and so on. As I would for all so-called "tech" companies doing data collection, surveillance and/or ad services as a "business"

Ideally one would be able to make an informed decision whether they want to send certain information to companies like Google. But as it stands, with the traffic sometimes being protected from inspection _by the computer owner_, through use of third party-mediated certificates, the computer owner is prevented from knowing what information is being sent

In own case, that traffic just gets blocked

isodev

While Google and friends are happy to push for https, it’s dramatically easier to scam people via ads or AI generated content. Claiming plain HTTP is scary seems like a straw man tbh

Arainach

The threat model of HTTP isn't site owners, it's that anyone else can change the content and you can't tell that it didn't come from the original site.

It's not a strawman, it's a real attack that we've seen for decades.

The entire guidance of "don't connect to an open wireless AP"? That's because a malicious actor who controlled the AP could read and modify your HTTP traffic - inject ads, read your passwords, update the account number you requested your money be transferred to. The vast majority of that threat is gone if you're using HTTPS instead of HTTP.

isodev

Then perhaps the problem is open APs? There are still legitimate uses for HTTP including reading static content.

Say we all move to HTTPS but then let’s encrypt goes away, certificate authority corps merge, and then google decides they also want remote attestation for two way trust or whatever - the whole world becomes walled up into an iOS situation. Even a good idea is potentially very bad at the hands of unregulated corps (and this is not a hypothetical)

IgorPartola

I distinctly remember trying to sign up for Pandora’s premium plan back in 2012 and their credit card form being served and processed over HTTP. I emailed them telling them that I wanted to give them my money if they would just fix the form. They never got back to me or fix it for several more years while I gave my money to Spotify. Back then HTTPS was NOT the norm and it was a battle to switch people to it. Yes it is annoying for internal networks and a few other things but it is necessary.

billyhoffman

In the early to mid 2000s I would believe this. But for a major e-commerce provider in 2012? That seems vanishing improbable.

PCI DSS is the data security standard required by credit card processors for you to be able to accept credit card payments online. Since version 1.0 came out in 2004, Requirement 4.1 has been there, requiring encrypted connections when transmitting card holder information.

There’s certainly was a time when you had two parts of a commerce website: one site all of the product stuff and catalogs and categories and descriptions which are all served over HTTP (www.shop.com) and then usually an entirely separate domain (secure.shop.com) where are the actual checkout process started that used SSL/TLS. This was due to the overhead of SSL in the early 2000s and the cost of certificates. This largely went away once Intel processors got hardware accelerated instructions for things like AES, certificates became more cost-effective, and then let’s encrypt made it simple.

Occasionally during the 2000s and 2010s you might see HTML form that were served over HTTP and the target was an HTTPS URL but even that was rare simply because it was a lot of work to make it that complex instead of having the checkout button just take you to an entirely different site

fuzzzerd

I remember even back in the early 2000s https for credit card forms was pretty common. Surprised a company like Pandora wasn't with it by thr 2010s.

bo1024

> What's worse, many plaintext HTTP connections today are entirely invisible to users, as HTTP sites may immediately redirect to HTTPS sites. That gives users no opportunity to see Chrome's "Not Secure" URL bar warnings after the risk has occurred, and no opportunity to keep themselves safe in the first place.

What is the risk exactly? A man-in-the-middle redirect to a malicious https site?

drusepth

Doesn't it already do this? I keep a domain or two on HTTP to force network-level auth flows (which don't always fire correctly when hitting HTTPS) and I've gotten warnings from Chrome about those sites every time for years... Only if I've been to the site recently does the warning not show up.

deathanatos

Right now it only shows a little bubble in the URL bar saying "Not Secure", I think. (So, that is a "warning", in a sense.) TFA is saying there will now be an interstitial if you attempt an HTTP connection.

HSTS might also interact with this, but I'd expect an HSTS site to just cause Chrome to go for HTTPS (and then that connection would either succeed or fail).

> to force network-level auth flows (which don't always fire correctly when hitting HTTPS)

The whole point of HTTPS is basically that these shouldn't work, essentially. Vendors need to stop implementing weird network-level auths by MitM'ing the connection, and DHCP has an option to signal to someone joining a network that they need to go to a URL to do authentication. These MitM-ers are a scourge, and often cause a litany of poor behavior in applications…

sam_lowry_

HTTPS url?

dadrian

Chrome has shown the HTTP warning in Incognito mode for about a year, and has shown the warning if you're in Advanced Protection mode for about 2-3 years.

lateforwork

> One year from now, with the release of Chrome 154 in October 2026...

Wait a minute, how do they know what version Chrome will be at a year from now?

cbowal

Chrome has a set release schedule, shipping a new major release every four weeks.

https://chromium.googlesource.com/chromium/src/+/HEAD/docs/p...

elcritch

Chrome moved to a time based release cadence.

p1mrx

http://http.rip/ is useful for testing this sort of thing. I used to test with http://neverssl.com/ until they added HTTPS for some reason.

jeroenhd

neverssl added an HTTPS version for browsers that automatically connect to HTTPS when entering a domain name (like Chrome probably will after this change, eventually). The HTTPS version of the site uses Javascript to load a random http:// subdomain of neverssl.com so automatic HTTPS redirects are still defeated.

http.rip will probably show a "website unavailable" error at some point unless you manually type in the http:// prefix.

yjftsjthsd-h

> I used to test with http://neverssl.com/ until they added HTTPS for some reason.

My first reaction was along the lines of "What? That can't possibly be right..."

After testing a bit, it looks like you can load https://neverssl.com but it'll just redirect you to a non-https subdomain. OTOH, if the initial load before redirecting is HTTPS then it shouldn't work on hotel wifi or whatever, so still seems like it defeats the purpose.

Huh.

shakna

IANA's http://example.com still has a plain http version.

dorianmariecom

i use http://perdu.com

rr808

Https really sucks for our intranet. Every little web app and service needs certificates and you can't use letsencrypt.

ottah

Mmmm, great that and mandatory key rotation every 90 days, plus needing to get a cert from an approved CA, means just that more busy work to have an independent web presence.

I don't like people externalizing their security policy preferences. Yes this might be more secure for a class of use-cases, but I as a user should be allowed to decide my threat model. It's not like these initiatives really solve the risks posed by bad actors. We have so much compliance theater around email, and we still have exactly the same threats and issues as existed twenty years ago.

techbrovanguard

You understand that key rotation can and should be automated, right?

antisol

Impressive. I don't need to post my opinion on this anymore - you did it so much better than I ever could.

marginalia_nu

http://www.slackware.com/ is probably the biggest website I'm aware of that does not serve encrypted traffic[1]. but there are a few other legitimately useful resources that don't encrypt.

[1] (Except on the arm subdomain for some reason)

giancarlostoro

My first distro was Slackware. Good memories. The ARM subdomain looks drastically more maintained, posts from 2025.

Don't ever view source on slackware.com

marginalia_nu

> Don't ever view source on slackware.com

That's very 90s looking HTML. Large swathes of blank spaces may also indicate they're rendered somehow. PHP? CGI?

Confusingly it also sets an akamai cookie, `ak_bmsc`. Seems a bit out of place.

tptacek

Don't ever view source on slackware.com

Awwww, that's the stuff right there.

hulitu

> Don't ever view source on slackware.com

why ?

cube00

What's worse, many plaintext HTTP connections today are entirely invisible to users, as HTTP sites may immediately redirect to HTTPS sites. That gives users no opportunity to see Chrome's "Not Secure" URL bar warnings after the risk has occurred, and no opportunity to keep themselves safe in the first place.

Two hosting providers I use only offer HTTP redirects (one being so bad it serves up a self signed cert on the redirect if you attempt HTTPS) so hopefully this kicks them into gear to offer proper secure redirects.

tracker1

As good an idea as this is... I do hope that localhost/127.0.0.1 will be excluded for devs/testers.

null

[deleted]