I think it's OK to change over any engine where navigating to the homepage (and using its search box) uses HTTPS by default.  The controversial move was doing this for engines that offer HTTPS but don't default their homepage to using it.

So I'd broaden this to cover doing that for all applicable HTTP engines in the prepopulate file, and not bother with the partnership check.

 Issue 783880  has been merged into this issue.

(BTW, "does the home page use HTTPS" was the original criterion we used to determine whether the prepopulated engines should be HTTPS, so this is consistent with that.)

 Issue 783881  has been merged into this issue.

I think we should really aim to have this done in M-65, considering the impact.

(Does this affect Android and Fuchsia?)

Thanks, Carlos. The duped bugs (#4, #2) include other engines in a similar situation vs. Ask. But it may make sense to just probe the built-in provider domains as described in #1?

There are 4 sites on the "UMA-only engines" part of the list that now default to HTTPS and we are still listing as HTTP, but I'm not quite sure if I should update that part (mainly because I'm not quite sure I understand the purpose of those). Do we want those to be updated too?

Re #9: I bet pkasting knows for sure, but I bet the idea of those entries is that we use them to report via UMA if the user ever sets these engines as their default (by visiting the engine's website and manually adding it). 

We probably don't need to touch those as a part of this bug, since it won't improve security and we probably don't need to try to fix the metrics if no one has complained that they've gone stale.

Makes sense, and sounds good, I'll add in a comment to point out the ones that are already HTTPS in the UMA-only section, and send in the CL with the changes then. Thanks!

These are engines commonly set by malware, so we use them as part of measuring that.  Whether they need to be HTTPS depends primarily on what malware is doing these days, I think.

I suspect if the engines default users who visit the real sites to HTTPS, we should probably try to do HTTPS for them, but maybe leave the HTTP versions as alternate search URLs?

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/0e993248e06ddbda34dbe7fd5193f413b2ce7d6b

commit 0e993248e06ddbda34dbe7fd5193f413b2ce7d6b
Author: Carlos IL <carlosil@chromium.org>
Date: Tue Dec 19 19:19:53 2017

Changed default search providers to HTTPS

For search providers that already default to HTTPS on their home pages,
made Chrome default to accessing them over HTTPS when using them as
default search engines.

Bug:  783873 
Change-Id: I39793622ca170a51812a617e389842242b812ba5
Reviewed-on: https://chromium-review.googlesource.com/828048
Commit-Queue: Carlos IL <carlosil@chromium.org>
Reviewed-by: Peter Kasting <pkasting@chromium.org>
Cr-Commit-Position: refs/heads/master@{#525099}
[modify] https://crrev.com/0e993248e06ddbda34dbe7fd5193f413b2ce7d6b/components/search_engines/prepopulated_engines.json