[Ach] (not) redirecting https to http

Pepi Zawodsky pepi.zawodsky at maclemon.at
Wed Nov 4 17:47:15 CET 2015


> On 04 Nov 2015, at 17:23, James Davis <james.davis at jisc.ac.uk> wrote:
> I've encountered a few sites where manually switching to https://
> produces a broken site, and others where every https:// request is
> successful but immediately redirects to the http://
> equivalent(presumably because it's thought more usable than a site
> that's not working with a https:// URL), resulting in an insecure
> connection even though the user typed https://.
Redirecting from working HTTPS to HTTP is just stupid.

Contact the site’s owner to stop actively posing harm to visitors with this practice. Please start with Amazon! The correct way would be the other way round and 301 all HTTP requests to HTTPS+HSTS(+preloading).

> A holding page, with a "We're really sorry but this doesn't work,
> click here to return to http://" would be a more graceful way to
> degrade the security of the site. Is guidance on that point useful?

Guidance is simpel:
If there is working HTTPS, use it.
If there isn’t working HTTPS, upgrade to it.
Any other practice is insecure and poses a threat if not harm to visitors.

Yes, I know it’s sometimes hard to convince site owners. See Amazon who is still doing exactly that.

Best regards

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.cert.at/pipermail/ach/attachments/20151104/ba65fe60/attachment.sig>

More information about the Ach mailing list