[Ach] (not) redirecting https to http

Rainer Hoerbe rainer at hoerbe.at
Wed Nov 4 18:20:53 CET 2015


> Am 04.11.2015 um 17:47 schrieb Pepi Zawodsky <pepi.zawodsky at maclemon.at>:
> 
> Hoi!
> 
>> On 04 Nov 2015, at 17:23, James Davis <james.davis at jisc.ac.uk> wrote:
>> 
>> I've encountered a few sites where manually switching to https://
>> produces a broken site, and others where every https:// request is
>> successful but immediately redirects to the http://
>> equivalent(presumably because it's thought more usable than a site
>> that's not working with a https:// URL), resulting in an insecure
>> connection even though the user typed https://.
> Redirecting from working HTTPS to HTTP is just stupid.

Which does not prevent major vendors of IT security solutions doing this.

> 
> Contact the site’s owner to stop actively posing harm to visitors with this practice. Please start with Amazon! The correct way would be the other way round and 301 all HTTP requests to HTTPS+HSTS(+preloading).
> 
> 
>> A holding page, with a "We're really sorry but this doesn't work,
>> click here to return to http://" would be a more graceful way to
>> degrade the security of the site. Is guidance on that point useful?
> 
> Guidance is simpel:
> If there is working HTTPS, use it.
> If there isn’t working HTTPS, upgrade to it.
> Any other practice is insecure and poses a threat if not harm to visitors.

OTOH I saw claims that advertising links (W3C PING list IIRC) would not be working properly if the landing page is HTTPS. Some guidance on that would be helpful.


- Rainer
> 
> 
> Yes, I know it’s sometimes hard to convince site owners. See Amazon who is still doing exactly that.
> 
> Best regards
> Pepi
> 
> 
> _______________________________________________
> Ach mailing list
> Ach at lists.cert.at
> http://lists.cert.at/cgi-bin/mailman/listinfo/ach




More information about the Ach mailing list