Why do browsers default to http: and not https: for typed in URLs?
Browsers are applications for end-users. While the majority of sites is available by http (even if they just redirect to https) a significant part is not available by https. Thus your proposal would break web surfing for a very large part of the users. It would break in a way they don't understand. Automatically downgrading to http if https fails would not make sense because an attacker could then just simply cause havoc with connections to port 443 to enforce downgrades.
Once all but a few insignificant sites switched to https one could make the switch to a more secure default, but not yet. End-users would not understand what happened and probably just switch to an alternate browser or get some tips from somewhere on the internet to get back the old behavior.
Security decisions have to be done with and not against the users.
Well, I can presume that a few reasons exist:
- HTTPS support is not automatically configured on websites. Therefore, why should browsers assume it is?
- Saying that a website is not accessible unless using a specific scheme would be over the heads of a significant number of users.
- Switching to HTTPS is not as simple as it seems in some cases. Take Stack Exchange for example.
These are timelines for some popular browsers to fix this:
Google Chrome
- Chrome 46
Chrome will mark the “HTTPS with Minor Errors” state using the same neutral page icon as HTTP pages.
- Chrome 56
mark HTTP pages that collect passwords or credit cards as non-secure
- Chrome 62
Chrome will show the “Not secure” warning in two additional situations: when users enter data on an HTTP page, and on all HTTP pages visited in Incognito mode.
- Chrome 68
the omnibox will display “Not secure” for all HTTP pages.
- Chrome 79
Chrome will gradually move to blocking all mixed content by default. To minimize breakage, we will autoupgrade mixed resources to https://, so sites will continue to work if their subresources are already available over https://.
- Chrome 81
Chrome will print a console message warning about all mixed content downloads.
- Chrome 84
Chrome will warn on mixed content downloads of executables (e.g. .exe).
Chrome 85
Chrome will block mixed content executables
Chrome will warn on mixed content archives (.zip) and disk images (.iso).
Chrome 86
Chrome will block mixed content executables, archives and disk images
Chrome will warn on all other mixed content downloads except image, audio, video and text formats.
Chrome 87
Chrome will warn on mixed content downloads of images, audio, video, and text
Chrome will block all other mixed content downloads
- Chrome 88
Chrome will block all mixed content downloads.
Firefox
- Firefox 51
web pages which collect passwords but don’t use HTTPS will display a grey lock icon with a red strike-through in the address bar.
- Firefox 70
we will start showing a crossed-out lock icon as permanent indicator for sites delivered via the insecure protocols HTTP and FTP.
There's a bigger issue at play here that would prevent your suggestion. The way many web servers are currently configured, you could actually end up on the wrong website if you defaulted to https. This is not true if you default to http.
For example, suppose you have 3 sites all on the same IP address:
http://site.a.com
http://site.b.com
https://site.c.com
On many servers, if you were to attempt to go to https://site.a.com, (instead of http), you will actually be looking at site C, but with a certificate error.