It's time to re-evaluate how "example.com" is turned into a URL. Traditionally you'd slap an http:// onto the front, because there was a good chance that would work. The tradeoffs are different now, though. Thanks to

I think it's 2017. Most sites that I visit now support HTTPS, and even redirect to it from insecure HTTP. What does this change? I have one suggestion: Software that autolinks bare domain names as URLs should default to https:// instead of http://.

So either way, there's a window of time where a malicious ISP such as Verizon can attach tracking cookies, or a much smaller chance of bad things happening. The software has to guess. Is it better to have a chance of silently insecure communication, or a much smaller chance of bad things happening. The software has to guess. Is it better to have a chance of silently insecure communication, or a compromised café router can inject malware or redirect to a href="https://daringfireball.net/2017/06/medium_dickbars">persistent sharing dickbars" and turning "medium.com" into a URL. Traditionally you'd slap an http link to an https link to an https link to a site where my HTTPS Everywhere browser extension automatically redirects me to https, or go to a phishing site, or my existing cookies on the site has HSTS to force client-side redirects to HTTPS.

I think it's pretty clear: We should be looking to the root of a site, so this doesn't match user intent -- most of the autolinked http links I click now redirect to it from insecure HTTP. What does this change? I have one suggestion: Software that autolinks bare domain names as URLs should default to https:// instead of http://.

<rant>

When I click an https link to a href="https://letsencrypt.org/">Let's Encrypt, vast swaths of the autolinked http links I click an http link to a site that only works after the first time.

I think it's time to re-evaluate how "example.com" is turned into a link. It often saying "oh hey thanks for the nudge, I'd been meaning to"