Brave brings HTTPS by Default to iOS

This is the twenty-ninth post in an ongoing series describing new privacy features in Brave. This post describes work done by iOS Privacy Engineer Jacob Sikorski and was written by Shivan Kaul Sahib, Lead for Privacy Engineering.

Starting with version 1.68, Brave will become the first iOS Web browser to try to upgrade all sites to HTTPS by default. When you click or enter an insecure link like http://example.com, Brave will automatically redirect to its secure version, https://example.com. Using HTTPS is crucial to prevent Internet service providers (ISPs) and attackers from snooping on your browsing activity.

This update brings our existing “HTTPS by Default” feature to iOS, and represents a significant advancement beyond the earlier list-based approach that Brave used (and other iOS browsers still use). Previously, a site was only upgraded to HTTPS if its URL was included on specific lists, such as the once-useful but now-deprecated HTTPS Everywhere list. With this change, Brave will now do the opposite: all sites will be upgraded to be secure by default, and the only scenarios in which a site would not be upgraded are if the site appears on a much smaller exception list, or if the upgrade fails. This change guarantees that even new websites not yet on upgrade lists will receive a secure connection by default, a significant win for Web privacy.

As always, Brave prioritizes privacy-first defaults, advocating for a secure Web for all users. Just like on desktop and Android, users will also be able to select an optional Strict mode for an additional warning before the connection falls back to HTTP. You can read more about how “HTTPS by Default” works and why it’s important for your privacy in our previous blog post.

The “HTTPS by Default” feature will soon roll out to iOS users through the App Store. Once you have the latest version, you can try out “HTTPS by Default” by visiting a site (such as http://example.com) on your iOS device and watching it be auto-upgraded to HTTPS.