[Ach] (not) redirecting https to http
james.davis at jisc.ac.uk
Wed Nov 4 17:23:44 CET 2015
-----BEGIN PGP SIGNED MESSAGE-----
I noticed that there's a number of mentions on redirecting http://
requests to https:// but there's nothing about the other way around.
I've encountered a few sites where manually switching to https://
produces a broken site, and others where every https:// request is
successful but immediately redirects to the http://
equivalent(presumably because it's thought more usable than a site
that's not working with a https:// URL), resulting in an insecure
connection even though the user typed https://.
A holding page, with a "We're really sorry but this doesn't work,
click here to return to http://" would be a more graceful way to
degrade the security of the site. Is guidance on that point useful?
(although there's probably an argument to be made that someone who can
create that holding page is probably competent enough to just fix the
James Davis, Information Security Manager +44 1235 822229
Lumen House, Library Avenue, Didcot, Oxfordshire, OX11 0SG
Jisc is a registered charity (number 1149740) and a company limited by
guarantee which is registered in England under Company No. 5747339,
VAT No. GB 197 0632 86. Jisc's registered office is: One Castlepark,
Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
Jisc Services Limited is a wholly owned Jisc subsidiary and a company
limited by guarantee which is registered in England under company
number 2881024, VAT number GB 197 0632 86. The registered office is:
One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2
-----END PGP SIGNATURE-----
More information about the Ach