[Ach] (not) redirecting https to http

James Davis james.davis at jisc.ac.uk
Thu Nov 5 18:01:36 CET 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 04/11/2015 16:47, Pepi Zawodsky wrote:

> Redirecting from working HTTPS to HTTP is just stupid. ... Guidance
> is simpel: If there is working HTTPS, use it. If there isn’t
> working HTTPS, upgrade to it. Any other practice is insecure and
> poses a threat if not harm to visitors.

I agree with you that it's stupid and that your guidance is the ideal
approach but in some instances people aren't in control of the entire
environment.

Perhaps the application that doesn't support HTTPS is looked after by
a different team, division or department than the one that requires
HTTPS and there's a different team again configuring Apache, or
perhaps this is just an interim measure whilst they negotiate with
external contracts to fix the errors displayed when viewing the pages
over HTTPS.

In those cases something pragmatic may be required, something along
the lines of:

"Don't redirect HTTPS users to HTTP, it's a bad idea. Fix things
instead. Really, fix them. But if you really have no choice, don't use
a 301 redirect, instead have a holding page with a clear explanation
for the user"

James

- -- 
James Davis, Information Security Manager  +44 1235 822229
Lumen House, Library Avenue, Didcot, Oxfordshire, OX11 0SG
=============
Jisc is a registered charity (number 1149740) and a company limited by
guarantee which is registered in England under Company No. 5747339,
VAT No. GB 197 0632 86. Jisc's registered office is: One Castlepark,
Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.

Jisc Services Limited is a wholly owned Jisc subsidiary and a company
limited by guarantee which is registered in England under company
number 2881024, VAT number GB 197 0632 86. The registered office is:
One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
============
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2

iQIbBAEBCAAGBQJWO4twAAoJED9R4Wv4u3eild4P+MsWa2XzzyqUbGFujCjCmeDv
FS+MG7my6Kkznd1hmFupEO+l2XUMa4QvMN532bJ9gCsnj6Ixf0j5PGZs5E1bDJxm
EoYg5XCTgQ/F4ozbeSTzLCCTpQyvI9crJ+JtlfbRzreleogyzcFAHPkTYIliGUtI
Am0nTUoJFo0Nzzexm3hqVunogvI3zJxrjQQKS3qSQGB4r5ErOXuFjDsDakvEFKEy
eRSZdjXqCQLinY3GKlZ284NEFuy10rDAh6i3CjBSg42jg//Ur7GGxlz1y9hQKHfk
IIUQvX/tcWR53VFunM4Rr0L2EhzrFE4wqAamH5d8QOsPie4ffH/ZXCH4DV2d0qHl
cTiO9RY0Uy23noAFa4OzfffnmPvR5UtnY6ppswvFFXIc9m3c73+8xV0P7k0B9jAB
SdsWN7zYc2YhMMo6Oh49mC2iH2+DyQl9VtNLbk9S0QqhRDhag1HlnI5hLgo7Fgfn
8eqEuDY1eK6Tv1oAZdf+fvZWVZFOCS2vkkz8fLWJ1iR+rhgYty4eVYccaoepH/P+
MnmHOM+T3Pg8vjTX+QYmy8c9zxSYvH3IXCuBqGsSypBWLb1y/4dwptn2cntSKZ9V
f2n6MrolEHPrT0zoy5hcffZNpG62+5BxykQWHnSf+q2qRd6n1suEo8xjWrtbZWNV
B6Ji2IjVTxSEhG+uaaA=
=YWKW
-----END PGP SIGNATURE-----




More information about the Ach mailing list