this post was submitted on 03 Oct 2023
657 points (99.0% liked)

Firefox

18050 readers
46 users here now

A place to discuss the news and latest developments on the open-source browser Firefox

founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] Chobbes 4 points 1 year ago (1 children)

This is not true. Browsers will happily use http even if https is available, and without other mitigations like HSTS or DANE there is no way for your browser to even know that a site supports https. Many websites will forcibly redirect you to https, but this is the server telling you “hey connect with https instead”. A man-in-the-middle can simply not tell you to use https. Browsers have started marking http sites as insecure and will warn you about sending passwords, however.

[–] [email protected] 4 points 1 year ago (1 children)

I think I phrased it wrong, or there is a confusion with terms.
If a page is loaded with HTTPS, then images/CSS/JS/iFrames (resources) will not load over HTTP. The resources also have to be served via HTTPS.
If a page is loaded over HTTP, then resources (images/CSS/JS/iFrames) can be loaded over HTTPS.

My objection was to the "even if a server has HTTPS, some resources will still load over HTTP"

[–] Chobbes 4 points 1 year ago

As far as I know, this is not strictly true either. I believe most browsers currently block mixed active content like JavaScript or iframes, but will happily load images and such over HTTP (although I would not be surprised if this is changing).