curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: Feature request: HTTPS first

From: Daniel Stenberg via curl-library <curl-library_at_cool.haxx.se>
Date: Fri, 6 Nov 2020 23:41:35 +0100 (CET)

On Fri, 6 Nov 2020, Emil Engler via curl-library wrote:

> Hello, as most websites use HTTPS nowadays I would suggest to let curl use
> HTTPS if no protocol was specified rather than HTTP and use HTTP as a
> fallback if HTTPS is not available. However, I am not certainly sure if that
> can be done easily (as I am not into the TLS protocol).

I think it's a fair suggestion to bring up and discuss, but I personally don't
think we should do it.

Why do we have a default scheme to begin with? Because that's how the browsers
operatate. You've always been able to enter a host name and the browser then
tries HTTP against it. We basically mimiced that. Even today, browsers don't
automatically switch to HTTPS:// when given such a host name - because they're
not the same and presumably it causes too many problems for users. Do we think
curl users are less likely to have a problem with this? I doubt that.

I'm positive that there are *many* users out there who are using curl in
scripts and command lines without a scheme, and if we ship a curl version that
suddenly changes that behavior we break behavior and cause sadness and upset
emotions for a large amount of users. I think we can safely assume that a
large portion of these users actually *intend* for those transfes to be HTTP
so just switching to HTTPS is not going to work.

One of the strongest selling points and reasons for existance for curl is our
conservatism and keeping existing behaviors. Users rely on curl to work the
same over time.

As Ray already pointed out: users who really want to change the default for
command lines and scripts already have --proto-default at their disposal.

I think what's happening is rather that the world is quickly moving towards
HTTPS:// for everything web on the Internet so users are going to have to
prepend the proper scheme anyway going forward. I think using full and proper
URLs is a better way going forward.

-- 
  / daniel.haxx.se
  | Commercial curl support up to 24x7 is available!
  | Private help, bug fixes, support, ports, new features
  | https://www.wolfssl.com/contact/
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html
Received on 2020-11-06