Do browsers know domains that are supposed to be encrypted?
The short answer: they know a very limited number.
HTTP Strict Transport Security was introduced to provide better guarantees that a website is being served over HTTPS when specified by the operator.
This works well for websites you have visited recently as your browser will remember their HSTS policy and refuse a plaintext connection.
For example, if you visit your (previous visited from home) bank's website from an untrusted network that happens to have a man in the middle attempting to downgrade the connection to plain HTTP, your browser will refuse to connect because it remembers the website's security policy.
If you have not visited the site previously, the man in the middle needs to not only downgrade the connection security, but also remove the HSTS header (Strict-Transport-Security
) from the response. This isn't difficult.
The problem you have identified is the major limitation: what happens if you are the victim of a downgrade attack during the first visit.
One solution browsers have implemented is to package a "pre-loaded HSTS list" of popular websites known to require HTTPS. Obviously this cannot be comprehensive and even with the list, attackers can still setup security downgrade proxies at slightly related DNS names.
You can submit a domain for inclusion in the HSTS Preload List at hstspreload.org.
Security researcher Moxie Marlinspike demonstrated this type of attack in 2009, using a tool that he created called 'sslstrip'. See https://www.youtube.com/watch?v=ibF36Yyeehw (beginning at about 8:34).
To prevent this type of attack, we now have HTTP Strict Transport Security (HSTS). Sites can include an HSTS header in their response, to inform browsers to always connect to the site by HTTPS in the future. Upon receiving the HSTS response header from the site, the browser adds the site to an 'HTTPS-only' list that it maintains, so that going forward, the browser will only connect to that site by HTTPS. So, with a site that has implemented HSTS, an sslstrip attack may succeed on the first connection to the site, but HSTS prevents an sslstrip attack on subsequent connections.
To prevent an sslstrip attack on the first connection to the site, the site operator can include the site on an HSTS preload list. HSTS preload lists are shipped with some browsers (e.g. Chrome), so that the browser knows to connect to these sites by HTTPS-only, even before connecting for the first time.