EFF’s HTTPS Everywhere extension has an option (“Encrypt All Sites Eligible”) that blocks all connections that aren’t HTTPS or able to be upgraded to it, while also allowing the user to exempt individual sites from this blocking (temporarily or permanently).
It would be great to have this option for Brave on mobile as well. It would give the user a heads-up that they’re about to access or transmit information without the protection of TLS, allowing the user to evaluate that risk on a per-site basis, rather than only finding out that the site is unencrypted after it’s already loaded.
This feature plus first-party adblocking would make me much more likely to switch to Brave as my primary browser on mobile (currently using Firefox with privacy and adblocking extensions).
Soon to be renamed “Encrypt All Sites Eligible (EASE)”, this helps to ensure that the user avoids ever connecting over an insecure HTTP site unless they explicitly opt into doing so. Projects like Let’s Encrypt have made security on the web so widespread that we believe the user experience when you turn this feature on is not significantly impeded for most users.
Over time, attacks targeting insecure HTTP have only gotten more sophisticated. QuantumInsert, a program developed and employed jointly by the NSA and GCHQ and revealed in the Snowden leaks, redirects HTTP requests to websites containing malware. In 2015, China used its nationwide Internet infrastructure to rewrite incoming HTTP Baidu Analytics JavaScript requests, hijacking users’ browsers to conduct an attack on GitHub. It is only safe to assume that more sophisticated attacks on HTTP will appear over time. With EASE, these types of HTTP attacks on your browser are rendered impossible.
This option would align well with Brave’s support for private windows with Tor on desktop and built-in VPN on iOS, all of which provide some degree of encryption guarantee to prevent data from being snooped on and/or modified in transit.