[Ach] (not) redirecting https to http

James Davis james.davis at jisc.ac.uk
Wed Nov 4 17:23:44 CET 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

I noticed that there's a number of mentions on redirecting http://
requests to https:// but there's nothing about the other way around.

I've encountered a few sites where manually switching to https://
produces a broken site, and others where every https:// request is
successful but immediately redirects to the http://
equivalent(presumably because it's thought more usable than a site
that's not working with a https:// URL), resulting in an insecure
connection even though the user typed https://.

A holding page, with a "We're really sorry but this doesn't work,
click here to return to http://" would be a more graceful way to
degrade the security of the site. Is guidance on that point useful?

(although there's probably an argument to be made that someone who can
create that holding page is probably competent enough to just fix the
https:// problems!).

James

- -- 
James Davis, Information Security Manager  +44 1235 822229
Lumen House, Library Avenue, Didcot, Oxfordshire, OX11 0SG
=============
Jisc is a registered charity (number 1149740) and a company limited by
guarantee which is registered in England under Company No. 5747339,
VAT No. GB 197 0632 86. Jisc's registered office is: One Castlepark,
Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.

Jisc Services Limited is a wholly owned Jisc subsidiary and a company
limited by guarantee which is registered in England under company
number 2881024, VAT number GB 197 0632 86. The registered office is:
One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
============
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2

iQIcBAEBCAAGBQJWOjEQAAoJED9R4Wv4u3eiHTEP+QEMDcF/GC9FmsdMh54Ep1+A
Zq2lFyZwHgeLN0yriwK2GqlmgqCNYluheIYfYdW0WZkZPRY0PL/6LUO9BxZ2i+Wx
iRJd3PI9xcVGhuc7JZAudud3YhNYWvUwARQLffg/KqxmEimXUlwA6WNC+F4Ucf86
NvKZwJrbIufuRctgEVdhxvEnfvyu3yOGDvcIVU82Br960ulUT+hpRFMLGC/6sBKq
LwWGXRxzKFwf5vgnbu1qRBBvrSxraUYPHuYVyRu/bTLkVdKHV+vC/LEf7StRERJe
Ejdm4f3GLnizj4hPhdy77ZcxflAt+WhgqOJrlmBHc7Q0avp54mfyFRjNO33g7S6N
10OKxgq/9ZesuZLDiLNgXarkguOxeqCe5tX5m2xQV0OlyB5jBwIRsfXSC8j0M0Yy
R7cypV4GpmJrBY4T+OuED6CqvSIkjuDAJ2MCjBfHwd0g2XSBk1HnVPnKCN62H/Sv
vUt4kdXF/a3vWADf1WOTflNo9EK2t2eFhG4peHih8AVFEutDPmsZwoTMJgr3knpu
GI7FO7T/LEvV4r5Ax8A1fTeE8IrkBnvXBt4W8fHUn75kGnF+ufjeYJyQf7YQQHpG
l8miuYIM8hBdAOjEgQm8CYyJxebJMa3n2rNkbVKASl53Yab4Nfw1d7uGkeCY9hmc
OWDuFTdFHNrxnFGkLig+
=aC/o
-----END PGP SIGNATURE-----

More information about the Ach mailing list