When version 90 of Google’s Chrome browser arrives in mid-April, initial website visits will default to a secure HTTPS connection in the event the user has failed to specify a preferred URI scheme.
Lack of security is currently the norm in Chrome. As Google Chrome software engineers Shweta Panditrao and Mustafa Emre Acer explain in a blog post, when a user types “www.example.com” into Chrome’s omnibox, without either an “http://” or “https:// prefix,” Chrome chooses “http://.” The same is true in other browsers like Brave, Edge, Mozilla, and Safari.
This made sense in the past when most websites had not implemented support for HTTPS. It was only in 2018 that the majority of websites redirected traffic to HTTPS. But these days, most of the web pages loaded rely on secure transport (ranging from about 98 per cent on Chrome to about 77 per cent on Linux). And among the top 100 websites, 97 of them currently default to HTTPS.
Google fails to neutralize lawsuit that complains Chrome’s incognito mode isn’t very private at all
Previously, only websites that declared they should be loaded securely with an entry on an HTTP Strict Transport Security (HSTS) preload list – supported in multiple browsers – got HTTPS automatically.
Chrome 90 will make HTTPS the default for first time website visits where no transport has been declared. Beyond the security and privacy benefits, say Panditrao and Acer, this will improve performance since the delay incurred by redirection from an http:// endpoint to an https:// endpoint will no longer happen.
A few exceptions will persist, however. IP addresses, single label domains (eg contoso without TLD like .com), and reserved hostnames like localhost/ will still default to http://.
Private like a fox
In other browser-related news, Mozilla Firefox 87 debuted on Tuesday with a privacy feature called SmartBlock.
Borrowing from techniques used by privacy-focused extensions NoScript and uBlock Origin (eg “stub scripts“), SmartBlock provides a way to block tracking scripts while attempting to minimize performance-affecting delays or errors that can arise from meddling with webpage code.
“SmartBlock does this by providing local stand-ins for blocked third-party tracking scripts,” explains Thomas Wisniewski, web compatibility engineer at Mozilla, in a blog post.
“These stand-in scripts behave just enough like the original ones to make sure that the website works properly. They allow broken sites relying on the original scripts to load with their functionality intact.”
Firefox SmartBlock can replace trackers found on the extensive Disconnect Tracking Protection List, which just for the US numbers well over a thousand.
Firefox 87 also incorporates another privacy enhancement: It will limit the information contained in the referrer (misspelled but implemented as “Referer“) header string by setting its default Referrer-Policy to “strict-origin-when-cross-origin.”
What this means is that when a Firefox user follows a link like “https://www.example.com/path?query” – where “path” and “query” represent more meaningful or sensitive information – the HTTP Referer Header that gets sent to the visited website will indicate that the visitor has arrived from “https://www.example.com” and the extra path and query data will be dropped. ®