Brave Browser: HTTPS by Default

[harlan4096]

Brave Browser upgraded certain sites from HTTP to HTTPS in the past using a list of compatible sites. Starting with Brave Browser 1.50, Brave drops the list approach to upgrade all HTTP sites to HTTPS, with the exception of a small list of sites that are not compatible.



Brave's HTTPS by Default system launches in the next major version of the browser. Whenever Brave detects an HTTP site, it will check if the site is in the list of incompatible sites. If it is not, Brave attempts to upgrade the connection to HTTPS for improved security and privacy.

If that does not work, and there is a chance that it does not, as not all HTTP sites support HTTPS as well, it will fall back to using HTTP for the connection.

Brave, HTTPS Everywhere and HTTPS by defaultPrevious versions of Brave Browser relied on an HTTPS upgrade list provided by HTTPS Everywhere. Brave checked whether the site was on the provided list when it encountered an HTTP site. If it was, it tried to upgrade the connection to HTTPS. If it was not, HTTP was loaded.

The approach worked, but it had two drawbacks that became apparent over time. The EFF, maintainer of the HTTPS Everywhere list, decided to end maintenance for it, which meant that the list was not updated anymore. The second drawback was the list-based approach itself. While it included thousands of sites, it excluded any site that still used HTTP that was not on the list.

Brave switched the approach. It still uses a list, but now only for incompatible sites. These sites have issues when upgraded to HTTPS; the issues can be functional or appearance related. Brave attempts to upgrade all sites not on that list to HTTPS, if they still use HTTP.


The list of sites that are incompatible is maintained by Brave on GitHub. The list includes several government and educational sites, but is relatively short. It has 112 entries at the time of writing.

Brave engineers ran into several roadblocks during development. Most sites that support HTTP and HTTPS use the same domain, but some don't. Some sites use subdomains for secure sites, others may use totally different domain names.

Brave's fallback to HTTP ensures that all of these sites will load.

Brave users may configure the feature in the Shields settings in Brave 1.50. These may be loaded directly in the address bar, brave://settings/shields, or by selecting Menu > Settings > Shields.

Closing Words

Brave Browser is not the only browser that attempts to upgrade insecure HTTP connections to HTTPS. Firefox has an HTTPS-Only Mode that loads only HTTPS pages, but comes with a fallback for sites that do not support HTTPS. Google Chrome and Microsoft Edge may try to upgrade to HTTPS as well.
...

Continue Reading