Blog

Automatic HTTPS by Chris Taylor

About Chris Taylor:  Chris is on the Community Review Board for SANS’s OUCH! (the security awareness newsletter designed for everyone), has given over 470 computer-related presentations at the Ottawa Public Library, and is President of the Ottawa PC Users’ Group.

To browse the web, we all know that we should use https (which uses an encrypted session) rather than http (which does not use encryption), even though it’s not a panacea. See my Cybersecurity News article What does https really mean? https://mailchi.mp/glasswire/glasswire-monthly-newsletter-glasswire-is-about-to-reveal-your-ports.

Many sites are set up to automatically switch from http to https. Try browsing to http://google.com and it will switch to https://google.com. But some sites support both http and https and don’t automatically switch. In June 2021 Microsoft introduced an experimental feature called Automatically switch to more secure connections with Automatic HTTPS in Microsoft Edge v92 and announced it in the Windows Blog at https://blogs.windows.com/msedgedev/2021/06/01/available-for-preview-automatic-https-helps-keep-your-browsing-more-secure/. Even in Edge v106 (current as of this writing), the feature is still buried where you have to be pretty deliberate to enable it.

In the address bar in Edge, type edge://flags/#edge-automatic-https and hit Enter. Set the entry Automatic HTTPS to Enabled and restart Edge.

In the address bar in Edge, type edge://settings/privacy and hit Enter. Scroll down to the Security section and toggle on the option Automatically switch to more secure connections with Automatic HTTPS (1 in the screenshot below). You then have two options; Switch to HTTPS only on websites likely to support HTTPS (2 in the screenshot below) and Always switch from HTTP to HTTPS (connection errors might occur more often) (3 in the screenshot below).

I am not sure if the first option works all that well (don’t forget this was enabled through an “experimental” option). I don’t like the wishy-washy nature of the word “likely”. It does not work with  http://www.example.com even though the site supports https://www.example.com . Even odder perhaps, http://example.com does switch automatically to https://example.com. The second option: Always switch from HTTP to HTTPS (connection errors might occur more often) seems more aggressive, switching both http://example.com and http://www.example.com to their https equivalents.

Given the warning that “connection errors might occur more often”, I thought the second option might prevent me from browsing to http sites, but with it set, I browsed to http://neverssl.com and was able to connect with no problem.

Even though my experience with the experimental feature seems less than a complete solution, I don’t see any major downside to using it. According to the blog, even if a webpage is prevented from loading, you will get a message that provides the option to continue to the site.

If you haven’t downloaded the best firewall yet use one of the two buttons below. Need help? Contact us, or join our forum. We look forward to hearing about how you have joined our firewall community and we’d like to hear how you use the best firewall software to protect your device and network.

Get it on Google Play Download for Windows