Browser forces HTTPS for HTTP forum sometimes

[Sono]

I noticed this oddity with Chrome: when you have a forum on http, open a private window, and type: "yourdomain.com", just exactly this, no more characters, Chrome will try to force HTTPS. I checked my hosting, but no SSL certificate is installed, no force redirects. Once the domain is typed as: 'http://yourdomain.com' the forum loads. With this method I can trigger this error all the time, but it happens other times as well sometimes. I think this is some oddity caused by Chrome. Any idea to solve this? I thought of forcing HTTP instead in .htaccess. But I am not sure how wise idea that is in our SSL dominated world? I fear my site will be sanctioned by Google or it may mess up displaying certain parts of my forum. What  do you think?

PS: I have just noticed it works like that in Opera as well, and even with sites other than an SMF forum. I have a simple HTML site as well, the same happens when I type it like the way I mentioned above. It seems to me it happens in case of domains that had an SSL certificate issued earlier, but cancelled.

[Kindred]

Just get a cert.

[Sono]

Regarding my SMF site, that would be fine, but as I remember it is not easy to transfer the forum from HTTP to HTTPS and it will mess up many things.

On the other hand, I have several other sites, and some I cannot even run on HTTPS because of the hosting, so it will be better to solve this without a certificate instead.

[Arantor]

No, it really wouldn't. Every time your users log in via HTTP, they will be told by the browser that your site is not secure.

They'll always be told this. It's possible at some point they won't even be able to log in because the browser manufacturers are talking about disallowing password fields to be used on non-HTTPS sites.

[Sono]

But at the moment I am on HTTP, and can log in. The site works fine, if I add the http:// prefix to the domain name, or arrive from google search and click the site from there. The problem happens when you add only yourdomain.com as address, nothing else, the browser automatically appends a https:// prefix, and it wants to open the site like that. I checked the error message as well, and the browser reports in this case, that the site is considered unsafe not because of the HTTP, but because it's certificate is out of date. And it is listing the details of the former certificate that once was installed. So it seems once you had a certificate for any of these http sites, no matter if you cancelled them, the browser will see it and will insist on it by addig a HTTPS prefix by default. It is just some borwser glitch. But I wonder how you could deal with it on the site developer side.

[Arantor]

But HTTP IS unsafe. And all major browsers will flag any password entry (where people log in) as unsafe on HTTP without exception.

Also, browsers simply default to HTTPS now because the majority of the web is HTTPS.

Oh, and Google downranks sites not on HTTPS.

How many more reasons do I need to find to get you to fix the real problem, which is that you need to fix your HTTPS?

[Sono]

Look, I appreciate your advices, but let me not enumerate all reasons not to put all my sites to HHTPS. Just a the main reason: the hosting does not support it (and I have no money to put all my sites to https). Moreover, in spite of that you say, in case the site never had a certificate installed, it will run fine in any browser without notification. The problem only comes when the site had a certificate in the past. On the other hand, even this way the sites runs fine. Once the browser caches the site as http, it will work without issue. For exaple when you arrive from Google search, it automatically caches http.

Anyway ranking is a problem with HTTP only when you publish already covered stuff. If your stuff is unique, the ranking is not affected by that the site is HTTP. I have several sites that rank 1# in Google even as HTTP, because they are unique. In this case the HTTPS is useless to be paid again.

So instead of recommending SSL, let us stick to the original problem and solve that. Moreover, I want to avoid the difficulties at the moment to turn the http forum into https. As I read it is very complicated.

I tried this rule by the way, it works with Chrome, but Opera ignores it:
RewriteCond %{HTTP:X-Forwarded-Proto} =https
RewriteRule ^(.*)$ http://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

[Arantor]

Then get a better host. Most hosts these days will give you a free certificate through Let's Encrypt. I haven't paid for a certificate in years.

And you're wrong about the "will run just fine". The browser doesn't know about a previous certificate, it just assumes it should be secure and tries that first. (The on,y way it would "know about a previous certificate is if you had HSTS set up, but that wouldn't let you use HTTP at all, only HTTPS.)

You say it's difficult doing the correct thing, yet you're finding it even harder to do the wrong thing... maybe don't do the wrong thing.

[Sono]

The browser will have no issue if the site had no certificate in the past. It won't report anything, just opens the site ASAP. Try it. Place a Wordpress site into your hosting for a new domain, do not add SSL. It will open. So it iss false that the browsers sanction HTTP by default. Only when there was a certificate previously. In that case they append HTTPS automatically, but even that way if you correct that and type HTTP, the site will work fine, no matter if PHP, login function, etc. It is just an appending glitch, not a real threat report.

Free certificates: not a real stable solution. Just a half solution. Several softwares will report it and sanction it the same way that I described. FileZilla, Kaspersky, they catch Let's Encrypt sometimes. And who knows what else. Better avoiding that hassle.

But okay, let us skip this debate, I insist on the HTTP, how could it be solved. The HTACCESS redirect I paseted above works for Chrome, but not for Opera. How could it be modified?

[Kindred]

That's untrue.

Browsers will flag http sites, even if they never had a cert.

Seriously,  your spending a huge amount of effort to a) fix something that is actually performing as designed and b) do something that will eventually break your sites.

If your host does not offer a free Let's Encrypt certificate,  then you need a new host, ASAP -- because with that sort of attitude, there's a good chance that many other things are broken or insecure.



Anyway, the short of it is: there is nothing SMF can do about your problem anyway.  Your "problem" is in the browser, not the site

[Sono]

Wait a second, I have just noticed there might be a confusion here.   When you wrote "Browsers will flag http sites, even if they never had a cert." what did you mean by that? You referred to the error window displayed when you meant flagging, or you referred to the fact, that next to the search bar, all browsers will display the message: "Insecure" when you visit a HTTP site. It seems to me we are debating about two different things. I think I was not clear enough in the starting post because this is not the issue I am trying to discuss.

[Aleksi "Lex" Kilpinen]

HTTPS has been an official ranking signal for Google since 2014. They do punish sites without a cert.
Browsers have defaulted for HTTPS for a while now as well, and all major browsers include a HTTPS -only mode.
If your browser ignores a redirect to a HTTP address, then you may want to check if your browser already uses HTTPS -only mode as default, as I'd expect this to be the next development on this track.
https://www.eff.org/https-everywhere/set-https-default-your-browser

Lets Encrypt certs work just fine, I've been using them for multiple sites for a long time now - and can only think of one time I had some issues renewing certs for a day or so.

[Kindred]

Unless you actually still have an expired certificate ON your site *AND* are using https, the browser does not know that there WAS a cert there...

So, if you're using http, there is a warning in the browser bar that the site is not secure
If you TRY to use https, and you do not have a certificate, then the browser will display a warning saying that there is no cert
If you try to use https, and you still have a cert present, but it is expires, then the browser will display a warning that the cert is expired.

All three are EASILY solved by adding a valid certificate -- which pretty much EVERY host, except for junk-hosts, offers free certificates from "Let's Encrypt".  Heck, even GoDaddy - possibly one of the worst hosts out there, offers this.

[vbgamer45]

You can also get a a free one via https://www.cloudflare.com/ using their free plan just point to their dns and that's it.

[Sono]

Unless you actually still have an expired certificate ON your site *AND* are using https, the browser does not know that there WAS a cert there...

Okay, so we are now getting close to the problem what I refer to here. So let me summarize the problem again, and also here is a video showing the problem:

I have had my forum on HTTP since 2013. It was never HTTPS. But, a few years ago when I changed registrar and hosting, acidentally I selected "SSL" when adding the domain to the hosting. I asked the support to cancel it. It has been cancelled for years. But since then, any time when the browser chache is empty (that means in case of every new user arriving to the forum), if I type my forum name to the search bar (congovibes.com), the browser wants to redirect to the https version and displays an error message. No matter that the certificate has been cancelled for years. If I arrive to the forum from Google search or type http://congovibes.com, the forum loads and works okay. So in case no http prefix is specified, the browser considers the site is https, and displays an error message. No matter that there is no certificate for years (I checked it in the hosting account). And strangely, when you click on the error details, it mentions the certificate, and still considers it valid. You can see this in the video I attached. The browser considers that the certificate is still valid. No matter it has been cancelled for years. And this is the same situation with any http site I have. In case I acidentally switch them to SSL once, no matter if I cancel it and remove the SSL certificate, any browser will want to redirect it to https. I tested it, it works like this with any hosting provider, not just one. If you add an SSL, later the site will be considered https even if you cancel the certificate, and the browser will want to redirect there, no matter if you don't have redirects in .htacces, in the hosting, etc. I have a http site that I never used with SSL, in case of that there is no problem. It loads and works fine. I have another that I set up with SSL acidentally yesterday, since then it is triggering the error. This is how I noticed this glitch. See the video below how it happens. In the video it is the virus scanner that is sending the message, but if I switch that off, the browser's own message appears. And then you can click on the details, and there you find the certificate is on. No matter it is cancelled. And let me emphasize again, this certificate has been cancelled for at least 3-4 years, and was only issued for 1 year back then. Don't tell me this is normal behavior:

https://youtu.be/VyWUHLaGurs


Try it yourself. Create a simple html site or a default wordpress site, no matter which. Make it http. Publish. You will see it works. Then add SSL. Remove it. It will always trigger this error that I am talking about. No matter how long ago it was cancelled. That's why I want to find a solution to this, to redirect the https approach of the browser back to http.

I don't want to make my forum https now, because I have many old photos in it shared, that would go missing if the site would become https. I don't want the stress now to stuggle with this. 

[Arantor]

Of course it'll trigger the 'error' - the browsers ALL assume you want HTTPS by default. And if you visited the site with HTTPS it'll be more inclined to remember that too.

No-one here is going to help you fix this. If they do, they're actually making your situation worse.

It's not at all impossible to fix the HTTPS situation even with all your images, there are solutions to that. But there aren't really solutions for trying to bypass the way the browsers work.

I've been doing this stuff as a day job for years, I'd rather fire a paying client than 'fix' this for them.

[Aleksi "Lex" Kilpinen]

Doesn't do that to me - I've never been to that site before, and I just tested. Are you sure you don't happen to have a https url to the site saved in your favourites or something? I tried with Chrome and Brave, both just give me the http version no problem.

Also, no you wouldn't lose any images if you switched to using https and used an image proxy. One is built in to SMF.
And the right way to fix this is all would be to take the jump.

[Sono]

Doesn't do that to me - I've never been to that site before, and I just tested. Are you sure you don't happen to have a https url to the site saved in your favourites or something? I tried with Chrome and Brave, both just give me the http version no problem.

Also, no you wouldn't lose any images if you switched to using https and used an image proxy. One is built in to SMF.
And the right way to fix this is all would be to take the jump.

It does this for me even if I check it on another machine. But how did you type it? The domain name only, or added the http prefix?

[FrizzleFried]

I just typed "congovibes.com" in to my Chrome browser (for the first time ever (obviously)) and your site came up...without issue.

It changed the address in the bar to: http://congovibes.com/

[Aleksi "Lex" Kilpinen]

It does this for me even if I check it on another machine. But how did you type it? The domain name only, or added the http prefix?

Identical to what you show in the video, only the domain part, no protocol specified.