Automatic upgrade from http to https is bad for privacy

[sbp]

Webbkoll gives a bad rating to sites that do not redirect from http to https. But browsers upgrade such requests without informing the user that the upgrade has happened. This means that data sent in the original request, such as a GET query, will have already been sent over http before the user is then switched to the apparently secure https version.

This is a flaw in web browsers. If browsers notified the user that they have leaked data, that would be an improvement. A greater improvement would be to not leak the data in the first place, for example by doing a HEAD / to check whether an upgrade is possible.

If browsers did not leak information in this way, and with an ideal https, it would be reasonable for website owners to automatically redirect http to https. It would in turn be reasonable for Webbkoll to give sites a lower privacy rating for not implementing it. But best practice meanwhile is for website owners to alert their users to their browser's misdemeanour in lieu of the browser behaving properly, and Webbkoll should encourage that behaviour rather than incorrectly supporting redirects that are bad for privacy.

Webbkoll is not alone in encouraging this bad practice. The criteria for inclusion in the centralised HSTS preload list encourage the same poor behaviour. Webbkoll should set a better example.

[andersju]

Interesting point, but I don't see what exactly it is that you propose that we do instead, and I fail to see how "301 redirect from HTTP to HTTPS; even better, also use HSTS, and preferably be in HSTS preload list" is not considered best practice these days. The web is a broken mess for sure, but this seems to be the way to cause the least amount of misery given the situation we're in. E.g.:

https://infosec.mozilla.org/guidelines/web_security#http-redirections https://support.google.com/webmasters/answer/6073543?hl=en https://www.eff.org/https-everywhere/deploying-https https://https.cio.gov/guide/#compliance-and-best-practice-checklist https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices#41-encrypt-everything etc.

[sbp]

What you should do instead is to tell website owners to host a page on the http version of their site telling users that their browsers have just leaked potentially private data, violating their privacy. This recommendation should be in place until the leading market share browsers are fixed.

This issue is apparently not widely known, which is why the guides you linked to do not account for it. As I said above, obviously this needs to be fixed in the browsers. Meanwhile services like yours should recommend the best possible mitigation, which is to inform the user of the violation of their privacy by their own browser.

[andersju]

If you believe that the people of Mozilla, Google, EFF, etc. are not aware of this issue, I suggest you raise it with them so that they can adjust their guides accordingly. RFC 6797 (HSTS) is aware of it, yet still recommends redirecting. We're just trying to follow best practices here; if you want them to change, I'm not the one who needs to be convinced.