The feature can be used to automatically switch from HTTP to HTTPS
Microsoft has launched the Automatic HTTPS feature to improve security in its Edge browser.
The Redmond giant announced the addition of Automatic HTTPS on June 1. Beginning with Microsoft Edge 92, users can enable the feature to automatically switch from HTTP connections to HTTPS, where available.
While currently available to Canary and Development channel participants – alongside “select users” of Edge – the target release for Edge 92 to the beta channel is next week, with an estimated stable channel (mainstream) release date in the third week of July.
Edge alerts users to insecure websites with a “not secure” measure displayed on browser tabs, and a lock icon when the HTTPS protocol has been enabled.
Automatic HTTPS will switch connections on sites that are “highly likely” to support the secure protocol based on Microsoft telemetry and whitelists. The company says this will “help enable a more secure connection on hundreds of thousands of top domains”.
Edge’s new feature is focused on tackling manipulator-in-the-middle (MITM) attacks that can allow eavesdroppers to monitor, steal, or tamper with data exchanged over insecure connections.
HTTPS mitigates the risk of these forms of attack, and while many websites now support the protocol, fewer mandate a HTTPS connection.
Microsoft says that lacking this requirement “leaves open a short window of opportunity for attackers before the site can redirect to the more secure protocol”, and furthermore, some sites do not redirect visitors from HTTP to HTTPS at all, leaving them exposed.
The protocol switch has been designed to trigger without intrusive or irritating notifications. More importantly, however, there are two options available when enabling Automatic HTTPS to make sure users can “browse as usual”.
The default upgrade will only enforce secure connections when domains are capable of HTTPS –although as this decision is based on Microsoft scans, there may be a margin of error – in order to reduce the chance of connection errors or performance issues.
If users wish to, they can opt-in to switch all connections from HTTP to HTTPS by enabling this choice in Edge Privacy Settings (edge://settings/privacy). Microsoft has warned that this may lead to connection errors occurring more frequently.
The success of this feature relies on the allow list compiled by Microsoft through web scanning. The list is based on top domains that are popular and support high levels of traffic – delivered over HTTPS but without requirements in place for the secure protocol – and indicates that connection errors may be more likely to occur with smaller websites that receive less attention if Automatic HTTPS is enabled.
The company notes that relying on known-capable domain lists could reduce performance or reliability problems while trying to enforce HTTPS-based browsing, such as those associated with “try HTTPS first and fall back to HTTP” approaches, currently in use by Google Chrome.
Since April, the Chrome browser has defaulted to HTTPS for users visiting sites that support HTTPS, and this feature comes into play when handling most typed in addresses. However, Chrome falls back to HTTP when HTTPS attempts fail, such as when there are certificate errors or they are untrustworthy.
Mozilla, too, introduced HTTPS-Only Mode in November as part of Firefox 83. This optional feature takes a slightly different approach: if a website does not support HTTPS, the browser displays an error message and will ask for permission before connecting via HTTP.
Microsoft emphasizes that the feature is currently experimental and has urged developers to report any issues and submit feedback.