• Chobbes@lemmy.world
    link
    fedilink
    arrow-up
    4
    ·
    1 year ago

    This is not true. Browsers will happily use http even if https is available, and without other mitigations like HSTS or DANE there is no way for your browser to even know that a site supports https. Many websites will forcibly redirect you to https, but this is the server telling you “hey connect with https instead”. A man-in-the-middle can simply not tell you to use https. Browsers have started marking http sites as insecure and will warn you about sending passwords, however.

    • towerful@programming.dev
      link
      fedilink
      arrow-up
      4
      ·
      1 year ago

      I think I phrased it wrong, or there is a confusion with terms.
      If a page is loaded with HTTPS, then images/CSS/JS/iFrames (resources) will not load over HTTP. The resources also have to be served via HTTPS.
      If a page is loaded over HTTP, then resources (images/CSS/JS/iFrames) can be loaded over HTTPS.

      My objection was to the “even if a server has HTTPS, some resources will still load over HTTP”

      • Chobbes@lemmy.world
        link
        fedilink
        arrow-up
        4
        ·
        1 year ago

        As far as I know, this is not strictly true either. I believe most browsers currently block mixed active content like JavaScript or iframes, but will happily load images and such over HTTP (although I would not be surprised if this is changing).