(no title)

I have a few internal services on which I like to crank transport security to 11. No port 80, only TLS 1.3, only modern ciphers. You'd be surprised how much confusion not opening port 80 caused across technical people. And I've learned a bunch of things about supported TLS versions and supported ciphers of windows server versions from this crusade.

And that's with experienced admins and developers. Doing this with our average B2B customer? Hah, oh dear.

The answer to this question is interesting, and it's that not serving HTTP doesn't actually help. The attacker HTTPS contemplates controls whether victims see SYN+ACK packets in response to their 80/tcp SYNs. TCP itself isn't authenticated. So you need something "sticky" in the browser to remind it not to try 80/tcp, and thus risk being bamboozled by a MITM attacker.

For new sites that is definitely practical. Modern versions of Chrom{e|ium} & Firefox (and other browsers based on them) have defaulted to HTTPS when the protocol is not specified. The only potential issue is if users do specify the protocol and leave the S out, it would be good for browsers to try HTTPS when HTTP fails (though only if it completely fails to connect).

Old links to your site might still be http - HSTS prevents that request being in the clear. Also, if you have a man-in-the-middle attack, it doesn't matter if you return a redirect or not as the attacker has already replaced your site with a phishing attack instead of a redirect. HSTS prevents this.

Just wait a bit and there will be some TLS denialism spawning here.

For a lot stuff on my local network I don’t want the hassle and there are loads of use cases in local networks for normal people to just have port 80 no certs on something like 192.x.x.x because there is no easy way to set up public certificates for that and I don’t want everything hostem on cloud - some stuff I want to still host for myself in my local network.

Corporations or companies should not do that - even internal networks should have proper certs and encryption but it also is not that easy.

Stuff sent over the internet for others to see should have TLS always because you don’t know where your packets travel.

IMO: The right time to ask this question is when all browsers default to HTTPS; instead we should ask why browsers default to http instead of https.

IE: I just typed "google.com" into Brave and it made a request to http://google.com which responded with a 307 redirect to https://google.com, which then made a 301 redirect to https://www.google.com.

Microsoft Edge Version 142.0.3595.65 on macOS does not default to HTTPS, FWIW. Users accessing sites that do not redirect HTTP to HTTPS must specify the full URL, at least in my experience from 2024-2025.

Even with default https etc, HSTS still adds some defence against MITM - browsers won’t let you even forcibly accept a self signed certificate

It would be nice. Our security team started complaining that we serve a 301 redirect on port 80 for our website (just like 99.9% of websites do... sigh) and wanted port 80 shut down.

To appease them, I switched the redirect off in dev/staging, and soon enough even devs are having trouble accessing the site because they type 'website.com' and that can't resolve, only 'https://website.com' can.

(And before you say it, yes we use HSTS, but I presume there were some scenarios where that wasn't already cached/hit).