16

Chrome and Firefox both have an "HTTPS-Only Mode" which blocks all non-HTTPS traffic within the browser. If the user tries to visit an HTTP only page, the browser will stop them and ask if they really want to go to the insecure website.

This is helpful because it prevents any possibility of malicious tampering or spying on the current WiFi network by blocking non-encrypted traffic.

Sure, there's HSTS, but not every website implements that and it does not help in a situation where a sophisticated or motivated attacker is trying to tamper with or pry on your traffic.

    I have had a lengthy conversation with @Vlad regarding this feature request who asked me to add more information to this post.

    The popup would be an uninstrusive question to the user with clear and unbiased wording without any flashy colours or anything that can negatively influence or mislead the user's decision making.

    It would say something along the lines of

    "Traffic is unencrypted"

    "You've enabled HTTPS Only Mode, meaning Orion will warn you when connecting to a website that does not support secure transmission of data to the website.

    • This does not necessarily reflect website credibility or privacy and security practices.
    • Entering sensitive information on this website is not recommended as prying eyes on your network may be able to capture it.
    • If you choose to dismiss this warning, Orion will not ask you again for this website."

    "Continue to HTTP Site" "Go Back"

    Once clicking "Continue to HTTP Site", the user is never asked again for this website.

    The intention of this feature is for transparency and choice. It's a simple choice that can go a long way, especially if the website the user is trying to visit does not follow basic SSL security practices, yet asks for sensitive information that should not be transmitted unencrypted.

      This is a nice option and won't give users false security senses

      a year later

      Sorry for the bump, but I believe the proposed functionality of this feature should be changed from Orion never asking again to Orion only temporarily never asking again. If a website is truly important enough to warrant never being asked again, you probably trust it and should manually make an exception. There is no scenario I can think of where never asking again by default would be a good idea.

      4 months later
      a month later

      Pls add, that’s a must security feature

        No one is typing