When you type in
example.com with no protocol, the browser tries HTTP first. His suggestion is to change that to HTTPS instead. Then if HTTPS fails, fall back to HTTP.
This falls under the “trying to be correct by default” behavior. Our browsers should generally encrypt traffic to sites by default. If you type in
http://example.com, then you are directing it to make a request that is plain text, and it should follow that direction. Outside of that, better to do encryption by default.
I’m in favor of this kind of change.
I’d even consider going one step further: flip HSTS ( HTTP Strict-Transport-Security ). Instead of requiring sites to opt-in to telling browsers that a site should be HTTPS only, default to HTTPS and require the site to opt-in to a plain HTTP version. That is a bigger change, that will require more work – namely that we need more Let’s Encrypt alternatives – but I think we can get there.
Responsive design has swept the web. What would happen if mobile browsers were to assume
The big push for this came from mobile, Safari specifically. That ship has sailed, no point in trying to pretend that we will ever go back. I’m in favor of this kind of change.
As technology changes, it is healthy to re-evaluate our defaults. Most people won’t change them, so a “protect the user” attitude should weigh heavily in how defaults are managed over time.