Pro Feature

HTTPS Downgrade Detection

HSTS was supposed to solve this. And it mostly does — for the 20% of the web that actually uses it properly. For everything else, there's a gap between "should be HTTPS" and "actually is HTTPS." That's the gap PhishClean fills.

What HTTPS Downgrades Does PhishClean Detect?

🚨

Protocol Downgrades

Navigation from HTTPS to HTTP — the classic SSL stripping pattern. PhishClean tracks your session and alerts when you're redirected from a secure page to an insecure one.

🔗

HTTPS to HTTP Referrer Transitions

When you follow a link from an HTTPS site to an HTTP page. Not always malicious, but often a sign of a misconfigured or compromised site. PhishClean notes it as a risk signal.

🔒

HTTP Pages with Login Forms

A password field on an unencrypted page means your credentials will be sent in plain text. PhishClean flags this immediately — no matter how legitimate the site looks.

How Does HTTPS Downgrade Detection Work?

Protocol tracking starts automatically. PhishClean's background service monitors the protocol — HTTP vs HTTPS — of every page you navigate to. No setup, no config files. It just runs.

Referrer comparison on every load. The content script checks the current page's protocol and compares it to the referrer. If you came from HTTPS and landed on HTTP, that transition gets flagged.

Signal feeds into the risk score. A downgrade on its own doesn't trigger a warning. It's added to the risk score along with other signals — suspicious domains, hidden iframes, exposed secrets, and more.

Combined risk triggers the alert. If the combined risk score exceeds the threshold, you see a warning. One signal alone usually isn't enough — it's the combination that matters. A downgrade on a known bank domain is very different from a downgrade on a hobbyist blog.

Why HSTS Isn't Enough

HSTS (HTTP Strict Transport Security) is a good idea with real-world gaps. Here's where it falls short:

The first-visit problem. HSTS only works after your browser has seen the header at least once. On your very first visit to a site, there's no HSTS policy cached — so a man-in-the-middle can intercept that initial request and strip the HTTPS before your browser ever learns the site requires it.
The preload list is limited. Chrome's HSTS preload list covers major sites, but getting on it requires opt-in from site owners. Most of the web isn't on it. Your bank might be. The regional credit union probably isn't.
Policies expire. HSTS headers have a max-age directive. If you don't visit a site for a while and the policy expires, you're back to square one — vulnerable on the next visit, just like the first time.
Subdomain gaps. Even when a root domain has HSTS, subdomains aren't automatically covered unless the site uses includeSubDomains. Many don't. So secure-login.example.com might be protected while portal.example.com isn't.
Clearing browser data resets everything. If you clear your browsing data — cookies, cache, site settings — your browser forgets every HSTS policy it ever learned. You're starting fresh, unprotected.

For the full technical breakdown of how attackers exploit these gaps, read our deep dive on SSL stripping attacks.

What PhishClean Adds That HSTS Can't

HSTS is a server-side declaration. It depends on the server doing the right thing, and on your browser having seen that declaration before. PhishClean doesn't depend on either.

PhishClean monitors your session in real time, at the browser level. It works on the first visit. It works on sites that don't send HSTS headers. It works after you've cleared your browsing data. It doesn't care whether the server is configured correctly — it watches what actually happens to your connection and reacts to it.

Think of it this way: HSTS is a lock the website puts on its own door. PhishClean is you checking whether the door is actually locked before you walk through it. Both are useful. But only one works when the site owner forgot to install the lock.

Related Protection

Frequently Asked Questions

Does PhishClean block HTTP pages entirely?

No. PhishClean doesn't block anything by default — it warns you. Plenty of legitimate sites still serve content over HTTP, especially older documentation pages, local network tools, and IoT device dashboards. Blocking HTTP entirely would break too many things. Instead, PhishClean flags the downgrade as one risk signal among many. If an HTTP page also has a suspicious domain, a login form, or other red flags, the combined score triggers an alert. A plain HTTP page on its own usually won't.

Will I get alerts on localhost development servers?

No. PhishClean excludes localhost and local network addresses from downgrade detection. Your development workflow won't be interrupted by warnings about http://localhost:3000 or http://127.0.0.1. This exemption applies to all RFC 1918 private addresses as well, so internal network tools and admin panels won't trigger false positives.

Don't Trust the Protocol — Verify It

PhishClean detects HTTPS downgrades and SSL stripping in real time — locally, in your browser. 3-day free trial, no credit card required.

Install PhishClean