Even more important: Stop using http by default when users enter a hostname into their urlbar. https is a joke at the moment. Because when users go to somecoolsite.com they are at first connecting via http. Now a man in the middle could just proxy their connection. No security at all.
We use user agent histogram as a security litmus test on our payment sites. If we see a spike of a smaller set of user agents without increased traffic (or a longer ‘tail’), we can almost be certain that something shady is going on. Not super useful as in, we can’t just block every legit looking user agent, but it notifies the analytics team that can then dig deeper.
Now as we have reduced doctype to just HTML, almost everybody is using Chrome (and all the alternative browsers are built on the same engine) and the rest use Firefox (which still renders HTML almost exactly the same), standards are pretty well-established and most of the people are forced to auto-update regularly and have no problems doing so (thanks to the progress in bandwidth availability) it indeed feels reasonable to clean the user-agent up or deprecate it completely.
It's likely that the Chrome team has plans to eventually assume https by default, given that they've outlined their plans mark http as insecure on connect[0] (rather than on input).
The move would likely have to be coordinated among the browser vendors, but it wouldn't surprise me if Apple decides to lead the charge on this one. All iPhones being https by default would put a massive demand on crappy systems that assume they can mitm users.
I think it's clear that everyone would like HTTPS-by-default, it's just a question of how to do it in a way that doesn't cause a massively degraded user-experience in the short term and still provides security gains (racing the two gets around the UX problem, but provides no security benefit). We might see something whereby we use HTTPS if the hostname has previously been connected to over HTTPS (even without HSTS).
The https issue is already solved by HSTS preload.
As for user agents. Nope. We connect those directly to better user support outcomes, especially for our less technical users. Abandoning that would be a foolish conceit.
One of Mozilla's recommended extensions is Smart HTTPS (which tries connecting to HTTPS, and if it fails reverts to HTTP). But I agree it would be nice for it to be default.
It helps with passive sniffing. But yeah, if attacker blocks HTTPS, then it's ineffective. I'm not dismissing HSTS, but rather suggesting to use both of these techniques (HSTS as site admin, Smart HTTPS as an user).
First of all its additional complexity that has to be implemented by the website. More work, more things that can go wrong.
Second, it needs to store data on users machine. It is basically a cookie. So users would need to kiss goodbye privacy to "benefit" from it.
Third, it only works if the user has connected to the site on the same browser before. And did not delete the cached HSTS data.
So in sum, it kills privacy, works only sometimes and piles up on the stack. It's a typical bandaid solultion. Instead of fixing the root cause, it makes things worse.
HSTS is a server config line, automated vulnerability scanners will pick it us. Sure that’s not optimal, but crypto is hard in general, HSTS is one of the easier to understand concepts. Fix the whole problem not one minor functional issue.
The users machine cannot be part of a legitimate threat model. Either it’s compromised or it’s not. Either it’s FDE’d or it’s not. I wouldn’t even pretend that a HSTS assertion here or there would even make a difference in the shitshow that is browser cache.
I agree it’s a hack, but at this point I pretty much think that about crypto standards, period. Having HSTS is better than not, and we’re a while away from disabling unencrypted comms.
Even more important is to stop leaking your private IPs: https://browserleaks.com/webrtc
Even more important: Stop using http by default when users enter a hostname into their urlbar. https is a joke at the moment. Because when users go to somecoolsite.com they are at first connecting via http. Now a man in the middle could just proxy their connection. No security at all.