

Ask HN: Why are so few links posted as https? - ejr

I&#x27;ve been lurking for quite a while now and noticed that even though many of the sites linked support SSL connections, not many are posted as https.<p>In the comments too most people still post http. Ex: The Wikipedia links everyone seems to love.<p>Is this just because of old habits or do people use plugins that force https in the background?
======
Someone1234
I suspect the search engines (Google, Bing, DDG) could do a huge amount to
combat this if they so wished.

Just check if the HTTP and HTTPS site returns near identical results (e.g.
same title, response code, etc) then link to the HTTPS version by default.

A lot of links that get posted are directly taken (ultimately) from search
engine results. Someone will search, view the page, then copy/paste it to
others.

~~~
ejr
Resource efficiency has a lot to do with that, I think. Crawling sites twice
will add not only to the burden of the bots but the sites too. Admins may
disapprove of this.

I wonder if users can be motivated to do the checking themselves when they
post the link.

~~~
quesera
Could try https first, then.

While it's possible to serve completely different pages and sites on https vs
http, it's rare in practice, and would be reasonable to penalize.

~~~
embolalia
I think that's absolutely reasonable to penalize. From a technical
perspective, returning a different resource depending on the scheme of the URI
is absolutely acceptable, but from a UX standpoint it's ridiculous to have a
difference between http and https.

------
MattBearman
I suspect the problem is that http is still the default. If you type a url
without a protocol into a browser, it goes to [http://[url]](http://\[url\])

So unless the site in question is set up to redirect http requests to https,
most links will be http.

I wonder if browsers should always try https first if no protocol is
specified? But then as has been pointed out before on here, there's no
guarantee that the http and https versions of the same url will have the same
content.

~~~
ejr
Good point. I borrowed a computer that had "HTTP Nowhere" installed on
Firefox, but that seemed to break a lot of things to the point I had to turn
it off. That may explain why browsers still default to http.

~~~
quesera
HTTPS Everywhere works great, all the time, for me. I've never heard of "HTTP
Nowhere". If you were just misremembering the name, it might have been a long
ago old version? Or maybe the borrowed computer was otherwise jacked.

~~~
x1798DE
HTTPS Everywhere is a "soft enforcement" of HTTPS, with hand-curated regex
that switches you to HTTPS if it's known by the EFF where the appropriate
HTTPS server is. It's a wonderful, wonderful tool and I'd feel naked without
it, but it "fails open" as it were - if something doesn't have https support,
or the https support is buggy, it just shows you the http version.

I believe HTTP Nowhere is similar to HTTPS Everywhere, but it "fails closed"
\- if there isn't an HTTPS version of a site, HTTP Nowhere just doesn't show
you that site.

I really hope we one day get to a world where it's feasible to have HTTP
Nowhere on by default. There are a shocking number of sites which don't
support HTTPS, probably because they are suffering some misapprehension about
the overhead it adds. Amazon does a bizarre thing where they bounce you back
and forth between HTTP and HTTPS depending on how much information about you
that _they_ feel a page reveals. It's quite an unstable situation for such a
high value target. I wouldn't be surprised if there are a number of
spearphishing and MITM attacks that take advantage of Amazon's cavalier
attitude towards its customers' safety and privacy.

~~~
quesera
Good point. While I knew that HTTPS Everywhere would fall back to HTTP when
necessary (and therefore "work" all the time), I never thought about the fact
that the name implies otherwise.

I guess I considered it more aspirational than declarative. "Revolution Now!",
"HTTPS Everywhere!", etc. :)

HTTP Nowhere looks like it takes a much harder line, which I hope will someday
be practical for general usage.

------
theandrewbailey
I use HTTPS Everywhere, so even if links are posted as HTTP, I will be
directed to HTTPS for sites that support it. It rewrites the URL browser side,
so there's never an HTTP 426.

[https://www.eff.org/https-everywhere](https://www.eff.org/https-everywhere)

------
DanBC
I don't care. SSL is probably good enough for a few pages that I want
protected and I don't care about the rest. I haven't thought about it. If
people express a strong preference either way I'll try to remember.

~~~
pestaa
It is not only to protect the few pages on which you enter sensitive data. All
traffic should be protected from man in the middle attacks.

Also if all traffic was protected, attackers wouldn't know which one is worth
hacking; now it's still quite obvious.

