Closed Bug 1352847 Opened 7 years ago Closed 7 years ago

entering URL in Location bar should default to https:// instead of http://

Categories

(Firefox :: Address Bar, enhancement, P3)

Product:
Firefox
Component:
Address Bar
Type:
enhancement

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1158191

People

(Reporter: vincentv, Unassigned)

References

Details

(Whiteboard: [fxsearch]) 

If I type

youtube.com

it should default to https://youtube.com instead of http://youtube.com. Many redirect to http if https is not available.

Also typing

youtube CTRL + ENTER

should be https://www.youtube.com instead of http://www.youtube.com
We can't do that easily because we don't know if https://site is the same as http:// site, as well as we can't know if the page will properly redirect, and in which direction. We could know, but that info is currently not available to the urlbar.
There are bug 1341350 and bug 1239708 to improve the situation.

CTRL+Enter is a different story, I agree that once the majority of the Web is on https, it should complete to the secure url. I can't find a dupe so for now I'm confirming this to evaluate using https in url canonization.
That said, it's a pretty much undiscoverable feature and as such it has likely a low impact.
Status: UNCONFIRMED → NEW
Depends on: 1341350, 1239708
Ever confirmed: true
Priority: -- → P3
Whiteboard: [fxsearch]
For me it sounds like a duplicate of bug 1158191.

> We can't do that easily because we don't know if https://site is the same as http:// site

That's right but why should Firefox display the http site then? Most people do want to open the https site (even if they don't know or even if they don't even know https).
And IMHO wrongly configured web servers shouldn't be a reason for an insecure behavior of a browser that is used by millions. I think most websites will do it right.
If browsers will act like this, server side mechanisms like HSTS will be less important and users are less dependent to server config.
Another reason why Firefox should try https first even if most websites do not support https is that IMHO (I don't have statistics) most major websites support TLS. So I think even now most of our daily internet browsing could be done via https.
So even if this is hard to implement it would be great and important though.
For speed improvements during fallbacks ff could access the server using http and https parallel? This was even faster than the current behavior when the site redirectes to SSL.
There might be a problem with captive portals but there are other mechanisms for that.
Would this affect things like public hotspots where you have to sign in on an insecure page to join the network? In these cases I usually have to load up a insecure page (bbc.co.uk) before it actually redirects me to the correct place..
(In reply to sedrubal from comment #2)
> For me it sounds like a duplicate of bug 1158191.

Yes, if you want to attack the problem from a broader point of view that's correct. Let's dupe there and keep the discussion in a single place.
That's not a trivial problem to solve fwiw, and that's why we are also looking at low hanging fruits to improve the situation in the meanwhile.

> So I think even now most of our daily internet browsing could
> be done via https.

We indeed  have a lot of interest into increasing secure browsing on the web, and there are a lot of ongoing efforts. But it's clear we're not there yet. It's improving!

> So even if this is hard to implement it would be great and important though.

I don't think it's an implementation problem, it's more about figuring out the right strategy.

Btw, please check bug 1158191 and add any additional brainstorming there.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
No longer depends on: 1341350
You need to log in before you can comment on or make changes to this bug.