Skip to content

Are HTTP-only entries intended to also cover HTTPS variants? #1979

Open
Open
Are HTTP-only entries intended to also cover HTTPS variants?#1979
Assignees
mitchellkrogzafunilrys
Labels
bugSomething isn't working
@AlexRubik

Description

@AlexRubik
AlexRubik
opened on Mar 2, 2026

What is the problem you are experiencing?

Hi there! We're consumers of the phishing-links-ACTIVE.txt feed and had a question about protocol handling in the URL list.

What we're seeing:

Many entries in the list use http:// only — for example:

http://028426.com/s/63BZGFSVBWSFCDX7Y9/584dd8/90eab167-7429-489f-99f6-ce86e8d0d81a
However, modern browsers increasingly auto-upgrade to https:// via HSTS, server redirects, or browser HTTPS-first policies. When our blocker does an exact-match lookup against the list, https://028426.com/s/... doesn't match the http:// entry, so the phishing page loads without a warning.

Our questions:

Is the single-protocol listing intentional? When an entry is listed as http://, is the intent that consumers should treat it as covering both http:// and https://?

Would it make sense to list both variants explicitly? For example:

http://028426.com/s/63BZGFSVBWSFCDX7Y9/584dd8/...
https://028426.com/s/63BZGFSVBWSFCDX7Y9/584dd8/...
Alternatively, would a protocol-stripped list be useful? A separate file (e.g., phishing-links-ACTIVE-no-protocol.txt) with entries like 028426.com/s/... would let consumers match regardless of protocol without doubling the file size.

We've noticed that some newer entries do include both http:// and https:// variants, while many older entries only have http://. Not sure if that's an evolution in how entries are added or if it depends on how the phishing URL was originally reported.

For now, we've implemented protocol-swapping on our end (checking both variants on lookup), but wanted to understand the intended behavior so we can align with the project's expectations.

Thanks for maintaining this resource!

How can we reproduce the problem?

No response

Do you have a screenshot?

Screenshot

What did you expect to happen?

We expected entries listed as http:// to implicitly cover https:// as well, or for both variants to be listed explicitly, since browsers routinely upgrade HTTP to HTTPS.

Is there a workaround?

No response

Additional context

No response

Log information

Click to expand 
Paste your log file here between the back tics.

Metadata

Metadata

Assignees

Labels

bugSomething isn't working

Type

No type

Projects

Phishing Database Backlog

Status

🆕 New

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions