Way back in 2013, post-Snowden, moving general web traffic to TLS became an increasingly good idea, then a norm.
A common practice (but not a requirement) is to give insecure requests a 301 Moved Permanently from http over to https. This let user agents update their stored URL and make subsequent requests over a secure channel. If that initial request is compromised then all bets are still off, but TOFU is often a good trade-off.
The simple polling script I use for subscribed feeds uses exactly that logic: any chain of permanent redirections is persisted. Looking back, across all feeds, what did that migration from http to https look like?
Initial adoption was slow. It was 2009 before I had an https subscription, when
http://labs.mozilla.com/feed/ (now a 404) redirected to https://mozillalabs.com/feed/
(now an SSL_ERROR_BAD_CERT_DOMAIN). Mid-2016, https reached 5%
of my subscriptions. That’s right after Let’s Encrypt
officially launched.
In 2019 the ratio was 50-50, and it continued to increase to around 80% currently. Ironically, older feeds dropping off the web completely rather than switching still helped that ratio. Still, 20% plaintext is not great, so I took a look at the remaining holdouts.
A few were using a temporary redirection, with 302 Found:
the client ought to continue to use the target URI for future requests.
and indeed I did, fetching the original insecure resource each time.
Others were sending an Upgrade header:
Upgrade: h2
Connection: Upgrade
I could make a secure h2 connection; but the library I’m using needs changes for that.
Some other feeds were dead enough that it was time to unsubscribe.
With those migrated across manually, I’m at 96% https. Holdouts? Almost exclusively sites that aren’t actively being maintained. It’s always fun to see a feed spring back to life, even if it’s currently:
<updated>2022-03-17T05:00:46Z</updated>
or even:
<pubDate>Sun, 09 Mar 2014 00:00:00 PST</pubDate>
so I’ll poll until they 410.
)