@BleepingComputer : when using untrustworthy networks, use a browser that supports "warn for insecure connections" - and enable it (my advice: do both anyway).

Note that it is near-impossible to redirect an https connection without a certificate error - until said connection has been successfully set up. After that happens, only the target website can redirect the browser.

• Firefox uses a stupid name: "HTTPS-only". That's misleading because it only means that you'll be warned for insecure http connections (which can be enforced and hijacked by an evil twin, when not demanding https).

• Chrome on Android is stupid too: "Always use secure connections" (default: off). Also we'll have to wait one more year for this to become the default: https://security.googleblog.com/2025/10/https-by-default.html.

• Safari on iOS/iPadOS: "Not Secure Connection Warning" (also off by default).

To test: open http://http.badssl.com - your browser should warn you (instead of showing the web page), but allow you to use http.

Important: most browsers will *remember* your choice to allow an insecure connection to a specific website (based on the domain name). The criteria to "forget" such an exception vary per browser.

#AitM #MitM #EvilTwin #HTTPSonly #InsecureConnectionWarning #Firefox #Chrome #Safari

The MIT website is still responding to non-TLS http requests at http://mit(dot)edu with a redirect to another non-TLS http URL.

How profoundly stupid is that!? I expect better from MIT.

For websites that are used by end-user browsers, the *only* valid response to an http request is a 301 redirect to an https URL.

p.s. Their Mastodon server is configured correctly.

Disclosure: I’m an RPI alum. (The RPI server is configured correctly.)

#CyberSecurity #httpsONLY #https #TLS #WebSecurity #PolyRensselInstiTechniTutelaer

On this matter, the source article for the experimental builds for #HTTPSonly mode by default is here: https://blog.chromium.org/2023/08/towards-https-by-default.html

It's interesting to note that the HTTPS-only mode that #Chrome / #Chromium will provide actually comprises of three main features, one of which is already the default:

• if no protocol like https:// or http:// is typed, default to HTTPS (since 2021)
• HTTPS Upgrades -> if you click on an HTTP page, redirect to HTTPS (if the page exists)
• HTTPS First -> try HTTPS first, show "this page is insecure" message as fallback to go back to HTTP (kinda like HSTS)

(and the insecure downloads thingie, which IMO is pretty minor)

Meanwhile the HTTPS-only mode that #Firefox already ships as a setting and is already enabled by default in Private Tabs has these three features bundled together.

At a certain point I made the transition from #Apache to #Nginx and now I'm thinking of transitioning to #Caddy. I like that the configuration file is really small and it fetches certificates for HTTPS without me doing a damn thing.

#Chromium / #Chrome just started shipping experimental builds with #HTTPSonly mode enabled by default and has plans to ship it to everyone once it's mature, and I hope #Firefox will do this as well. So I can even stop caring about port 80 entirely once that happens, as the major browsers would no longer default to trying port 80 first.

Firefox 100 for Android now supports HTTPS-only mode! 😇

"HTTPS provides a secure, encrypted connection between Firefox and the websites you visit. Most websites support HTTPS, and if HTTPS-Only Mode is enabled, then Firefox will upgrade all connections to HTTPS."

#Firefox
#HttpsOnly
#Security