[Ach] (not) redirecting https to http

René Pfeiffer lynx at luchs.at
Wed Nov 4 18:25:08 CET 2015


On Nov 04, 2015 at 1820 +0100, Rainer Hoerbe appeared and said:
> 
> > Am 04.11.2015 um 17:47 schrieb Pepi Zawodsky <pepi.zawodsky at maclemon.at>:
> > 
> > Hoi!
> > 
> >> On 04 Nov 2015, at 17:23, James Davis <james.davis at jisc.ac.uk> wrote:
> >> 
> >> I've encountered a few sites where manually switching to https://
> >> produces a broken site, and others where every https:// request is
> >> successful but immediately redirects to the http://
> >> equivalent(presumably because it's thought more usable than a site
> >> that's not working with a https:// URL), resulting in an insecure
> >> connection even though the user typed https://.
> > Redirecting from working HTTPS to HTTP is just stupid.
> 
> Which does not prevent major vendors of IT security solutions doing this.

If you follow the advice of major vendors of IT security solutions we
probably will be using DES and RC4 until 2035. I don't think this is a good
yardstick.

> > …
> > Guidance is simpel:
> > If there is working HTTPS, use it.
> > If there isn’t working HTTPS, upgrade to it.
> > Any other practice is insecure and poses a threat if not harm to visitors.
> 
> OTOH I saw claims that advertising links (W3C PING list IIRC) would not be working properly if the landing page is HTTPS. Some guidance on that would be helpful.

Do you have any links to sources? I am curious.

Regarding the HTTP/HTTPS issue, it might also be undesirable to use both
for the same content, because some search engines give penalties for
duplicate content. Don't know if this also applies to the HTTP/HTTPS
duality.

> > Yes, I know it’s sometimes hard to convince site owners. See Amazon who is still doing exactly that.

Site owners and CDNs, that is.

Cheers,
René.

-- 
  )\._.,--....,'``.  fL  Let GNU/Linux work for you while you take a nap.
 /,   _.. \   _\  (`._ ,. R. Pfeiffer <lynx at luchs.at> + http://web.luchs.at/
`._.-(,_..'--(,_..'`-.;.'  - System administration + Consulting + Teaching -
Got mail delivery problems?  http://web.luchs.at/information/blockedmail.php
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 213 bytes
Desc: not available
URL: <http://lists.cert.at/pipermail/ach/attachments/20151104/1bfe7dde/attachment.sig>


More information about the Ach mailing list