With Chromium-based browsers, how to force-open an HTTP version of the site if HTTPS is also available?
Consider I want to open a website and force HTTP, even if an HTTPS version is available. For example, I want to browse http://deb.devuan.org/merged/dists/ (HTTP), because the HTTPS version
- presents an invalid SSL certificate (either expired or with a wrong server name, resulting in all kinds of
NET::ERR_CERT_*_INVALID
errors), because the server is a part of a CDN, and - my HTTPS request would lead to HTTP 404 anyway, since the HTTPS version of the site serves a different content (there's no
/merged/dists
).
Yes, technically, what has been described above is a site misconfiguration.
And yes, I'm aware that browsing an HTTP site would be equally insecure as browsing an HTTPS site with an invalid certificate.
Yet, I'm in control of my own freedom with Mozilla-based and console browsers (lynx
& friends), and apparently, Chromium and derivatives just tie my hands. For the greater good, of course.
Here's what happens under the hood.
Whenever a browser sends out an HTTP request, it also add the
Upgrade-Insecure-Requests: 1
header, resulting in HTTP servers almost always upgrading the connection to HTTPS by responding with HTTP 307
. I haven't found any way to disable this but to strip the header on the proxy server side (Squid):
request_header_access Upgrade-Insecure-Requests deny all
Still, this only helps with Debian-branded Chromium, while Chrome, Opera, and Vivaldi keep misbehaving. Safe browsing and DNS over HTTPS are turned off where possible:
Running Wireshark on the proxy server side reveals that there're multiple TLS requests to *.1e100.net
(the Google network) and *.checkdomain.de
domains, and it's not possible to prevent those on the DNS server side: probably, the IP addresses of the *.1e100.net
network are "baked" in the Chromium codebase.
Further examination of the proxy server traffic shows that no connection is even made to the target site (deb.devuan.org
), because the browser (or any of the Google services it uses) somehow knows that the website I'm requesting can serve HTTPS, and forces HTTPS connection regardless of the actual protocol in the URL.
Here's the fragment of the proxy's access.log
for Chromium (the good):
1634306345.046 62 192.168.0.30 TCP_MISS/200 998 GET http://deb.devuan.org/merged/dists/ - HIER_DIRECT/95.216.15.86 text/html
And here's what I see for Chrome (the bad) and Opera (the ugly), respectively:
1634306270.092 55 192.168.0.30 TCP_TUNNEL/200 4584 CONNECT deb.devuan.org:443 - HIER_DIRECT/95.216.15.86 -
1634306169.040 51 192.168.0.30 TCP_TUNNEL/200 4584 CONNECT deb.devuan.org:443 - HIER_DIRECT/95.216.15.86 -
1634306169.086 44 192.168.0.30 TCP_TUNNEL/200 4584 CONNECT deb.devuan.org:443 - HIER_DIRECT/95.216.15.86 -
1634306169.100 54 192.168.0.30 TCP_MISS/204 196 GET http://www.gstatic.com/generate_204 - HIER_DIRECT/173.194.222.94 -
1634306169.131 44 192.168.0.30 TCP_TUNNEL/200 4584 CONNECT deb.devuan.org:443 - HIER_DIRECT/95.216.15.86 -
Furthermore, if I prohibit HTTPS traffic entirely (on the proxy server), it still wouldn't be possible to open an HTTP version of the site, either. The browser will fail with an ERR_TUNNEL_CONNECTION_FAILED
error (for plain HTTP) -- and that's not because it failed to connect to deb.devuan.org:443
. No, it's because it tried to phone back home (to Google) and failed.
Any ideas on how I can re-enable HTTP in my web browsers?
Versions tested:
- Chrome: 93.0.4577.63
- Opera: 78.0.4093.184
- Vivaldi: 4.1.2369.21
I want to open a website and force HTTP, even if an HTTPS version is available.
The simplest solution is probably to use a browser that doesn't enforce HTTPS (e.g. "lynx & friends"). If you want something Chromium-based and available for Windows and Linux, I might suggest considering Ungoogled Chromium (version 92 or earlier). Build files for Debian are currently available here.
I want to browse e.g. http://deb.devuan.org/merged/dists/
Ungoogled Chromium 92 or earlier will not force HTTPS on this site. Note, however, if you have visited the HTTPS version in the past, caching can still come into play (so in some cases, you may need to explicitly use http://
or clear your cache).
Of course, be aware that an HTTP version of a site may not exist, and/or the web server may still try to redirect you to HTTPS (not the browser itself initially).
Any ideas on how I can re-enable HTTP in my web browsers?
As already indicated, use a browser that doesn't have these requirements.