1. 8
  1. 2

    Interesting statistics. But I remain skeptical towards this mode, in case it ever becomes the default, especially with an ominous warning page on HTTP sites. Way to gatekeep the web.

    1. 5

      Nah, what makes you think this opt-in security mechanism, something that the EFF has spearhaded many years ago as HTTPS Everywhere, is a way to employ gatekeeping? Setting the opt-in flag implies someone does not want to visit HTTP web pages. Do you think folks would rather opt-in to this if the downgrade happened in a completely transparent way? Your point of an “ominous” warning page is interesting though, I could imagine this be at odds with the terminology of “https only”; but that name isn’t set in stone either. :)

      I’d argue the browser’s big promise is to support legacy content. Browsers still support a lot of nonsense from the 1990s, like . There are no plans to abandon HTTP alltogether.

      1. 3

        Yeah, I think it’s fine as long as it is opt-in. I’m just a bit hesitant in case it is made opt-out in the future. I’d hate for people to be scared away from non-HTTPS sites by a big browser warning.

        As for defaults, I think a reasonable choice is HTTPS by default with transparent downgrade to HTTP, which seems to be the way Chrome is going, if I understand correctly.