As web users, what we say and do online is subject to pervasive surveillance. Although we typically associate online tracking with ad networks and other th
This is not true. Browsers will happily use http even if https is available, and without other mitigations like HSTS or DANE there is no way for your browser to even know that a site supports https. Many websites will forcibly redirect you to https, but this is the server telling you “hey connect with https instead”. A man-in-the-middle can simply not tell you to use https. Browsers have started marking http sites as insecure and will warn you about sending passwords, however.
I think I phrased it wrong, or there is a confusion with terms.
If a page is loaded with HTTPS, then images/CSS/JS/iFrames (resources) will not load over HTTP. The resources also have to be served via HTTPS.
If a page is loaded over HTTP, then resources (images/CSS/JS/iFrames) can be loaded over HTTPS.
My objection was to the “even if a server has HTTPS, some resources will still load over HTTP”
As far as I know, this is not strictly true either. I believe most browsers currently block mixed active content like JavaScript or iframes, but will happily load images and such over HTTP (although I would not be surprised if this is changing).
I think all browsers will refuse to load a resource over HTTP if the website is served over HTTPS.
This is not true. Browsers will happily use http even if https is available, and without other mitigations like HSTS or DANE there is no way for your browser to even know that a site supports https. Many websites will forcibly redirect you to https, but this is the server telling you “hey connect with https instead”. A man-in-the-middle can simply not tell you to use https. Browsers have started marking http sites as insecure and will warn you about sending passwords, however.
I think I phrased it wrong, or there is a confusion with terms.
If a page is loaded with HTTPS, then images/CSS/JS/iFrames (resources) will not load over HTTP. The resources also have to be served via HTTPS.
If a page is loaded over HTTP, then resources (images/CSS/JS/iFrames) can be loaded over HTTPS.
My objection was to the “even if a server has HTTPS, some resources will still load over HTTP”
As far as I know, this is not strictly true either. I believe most browsers currently block mixed active content like JavaScript or iframes, but will happily load images and such over HTTP (although I would not be surprised if this is changing).