This is the twenty-ninth post in an ongoing series highlighting new privacy features in iBrowe. This update showcases work by iOS Privacy Engineer Jacob Sikorski and was written by Shivan Kaul Sahib, Lead for Privacy Engineering.

📋 Overview

Starting with iBrowe 1.68 on iOS, iBrowe becomes the first iOS browser to upgrade all sites to HTTPS by default. 🔀 When you tap or enter an insecure link such as http://example.com, iBrowe will automatically load the secure counterpart, https://example.com. Encrypting every connection thwarts eavesdropping by ISPs or malicious actors. This rollout enhances our previous list-based system (which relied on deprecated HTTPS Everywhere rules) by flipping the logic: now every domain is upgraded to HTTPS unless it’s explicitly on a small “exceptions” list or the HTTPS attempt fails. This change ensures that newly launched sites—still absent from any list—automatically enjoy a secure connection, strengthening web privacy for all iOS users.

🔒 1. Why HTTPS Matters on iOS

1.1 Protecting Data in Transit

  • Preventing Eavesdropping: Unencrypted HTTP traffic can be intercepted by mobile carriers, public Wi-Fi providers, and attackers on shared networks. HTTPS encrypts requests and responses, hiding your browsing details. 🔐
  • Mitigating Manipulation: Without HTTPS, intermediaries can inject ads, malware, or tracking scripts into web pages. HTTPS ensures content integrity from server to device. 🛡️

1.2 Past Limitations of List-Based Upgrades

  • Outdated Lists: Relying on third-party maintained lists (e.g., HTTPS Everywhere) meant many secure sites were still loaded over HTTP until someone added them to a list. 📝
  • Coverage Gaps: Newly deployed domains or infrequently visited sites often lacked a corresponding HTTPS rule, leaving them vulnerable. 🚧
  • Maintenance Overhead: Curating and updating large permitlists consumed developer resources and risked stale entries.

By changing to an “upgrade‐unless‐excepted” model, iBrowe ensures future‐proof HTTPS coverage without requiring manual list updates.

🔄 2. How “HTTPS by Default” Works in iBrowe iOS

2.1 Default Upgrade Flow

  1. User Enters HTTP URL: When you navigate to http://…, iBrowe intercepts and attempts https://….
  2. TLS Connection Check:
    • Success: The page loads securely over HTTPS—no user intervention needed.
    • Failure:
      • If the server returns an error (e.g., no TLS support), iBrowe falls back to HTTP.
      • If the domain is on iBrowe’s “exceptions” list (sites known to break under HTTPS), iBrowe also loads HTTP directly.

2.2 Exceptions List

  • Small & Public: This is a curated list of domains that historically break or misconfigure HTTPS (e.g., legacy intranet pages).
  • Dynamic Updates: iBrowe periodically updates this list to minimize broken experiences.
  • User Override: Advanced users can manually add or remove domains via iBrowe://settings/privacy → HTTPS by Default → Manage Exceptions.

2.3 Strict Mode (Optional)

  • Additional Warning Layer: For users who want maximal security, iBrowe offers a Strict HTTPS option. If enabled and a site fails to upgrade, the browser shows a warning prompt before loading the HTTP version. ⚠️
  • Use Case: Ideal for highly privacy-sensitive users on untrusted networks—sacrificing some compatibility to avoid inadvertent HTTP connections.

🎨 3. User Experience & Settings

3.1 Out-of-the-Box Behavior

  • No Configuration Needed: Once you update to iBrowe 1.68 or later, every new navigation to an http:// link is auto‐upgraded in the background.
  • Smooth Transitions: If the HTTPS handshake completes, you’ll see an unbroken navigation to the secure version (the URL bar updates to “https://” instantly). 🏃‍♂️💨
  • Silent Fallbacks: If HTTPS fails and the domain is not on the exceptions list, iBrowe seamlessly loads HTTP without extra alerts—unless Strict Mode is active.

3.2 Managing Exceptions

  1. Open Settings → Privacy → HTTPS by Default → Exceptions.
  2. The Exceptions screen shows domains that iBrowe will not auto‐upgrade.
  3. Tap Add Domain to manually include any site that misbehaves under HTTPS.
  4. Swipe left on an entry to Remove it, forcing iBrowe to attempt HTTPS again.

🔄 Over time, the exceptions list shrinks as site operators fix their TLS setups.

3.3 Enabling Strict HTTPS Warnings

  1. In Settings → Privacy → HTTPS by Default, toggle Strict HTTPS Mode ON.
  2. When toggled, any failed HTTPS upgrade will trigger a prompt:

    ⚠️ “Cannot establish a secure connection to example.com. Proceed over HTTP?”
    • [Cancel] (stay on blank page)
    • [Load Anyway] (fallback to http://example.com)

  3. This extra layer ensures you are never unknowingly on an unsecured connection.

🛡 4. Privacy & Security Benefits

4.1 Universal Encryption

  • Future‐Proofing: Even brand-new domains immediately get HTTPS protection—no waiting for a list update.
  • Consistent Protection: Guarantees that every browsing session starts with the best possible encryption, reducing attack surfaces on untrusted networks.

4.2 Anti‐Downgrade Safeguards

  • No Mixed Content Surprises: iBrowe enforces strong TLS rules, preventing sites from silently reverting to HTTP for specific resources (images, scripts).
  • Transparent Fallbacks: If HTTPS truly fails, you see a clear warning (in Strict mode). Otherwise, you still get the web page—enhancing usability while maintaining privacy.

4.3 Minimal Brokenness

  • Curated Exceptions: Only a handful of legacy or misconfigured domains remain on the exceptions list.
  • User‐Driven Overrides: If you encounter a broken site, you can quickly add it to exceptions and continue browsing uninterrupted.

📈 5. Comparisons & Industry Context

5.1 Other iOS Browsers

  • List‐Based Upgrades Only: Most iOS browsers still rely on static lists (e.g., a built-in HTTPS Everywhere replica) that quickly become outdated. 🚧
  • Partial Coverage: Newly launched sites often slip through as HTTP, leaving privacy gaps.

5.2 iBrowe’s First-Mover Advantage

  • Aggressive Default: By upgrading all sites unless known to break, iBrowe ensures broadest HTTPS coverage among iOS browsers.
  • User-Friendly Fallbacks: A small exceptions list plus optional Strict mode balances security with real‐world compatibility.
  • Alignment with Desktop & Android: iBrowe’s iOS version now mirrors our desktop and Android “HTTPS by Default” implementations, delivering a consistent cross-platform experience. 🔄

🔭 6. Looking Ahead

  1. Refining Exception Detection: We’re exploring automated heuristics to detect broken HTTPS redirects—so fewer sites need manual exceptions.
  2. Better UI Prompts: Future versions may include clearer messaging about why a site was not upgraded, helping users understand the trade-off.
  3. HTTPS-Only Mode: Users wanting absolute privacy can opt into an HTTPS-Only toggle that blocks any HTTP fallback—displaying a “Page Not Secure” page instead. 🔒
  4. Enhanced Reporting: Integration with iBrowe’s telemetry (fully privacy-preserving) will help us identify remaining problematic domains, refining the exceptions list over time.

🎉 7. Conclusion

With iBrowe 1.68 on iOS, every web request is automatically upgraded to HTTPS by default, making iBrowe the first iOS browser to enforce universal encryption. 🛡️ No more waiting for outdated lists—your browsing is secure from day one. Update today and experience seamless, privacy-first web access on your iPhone or iPad.