Hoi! > On 04 Nov 2015, at 17:23, James Davis <james.da...@jisc.ac.uk> wrote: > > I've encountered a few sites where manually switching to https:// > produces a broken site, and others where every https:// request is > successful but immediately redirects to the http:// > equivalent(presumably because it's thought more usable than a site > that's not working with a https:// URL), resulting in an insecure > connection even though the user typed https://. Redirecting from working HTTPS to HTTP is just stupid.
Contact the site’s owner to stop actively posing harm to visitors with this practice. Please start with Amazon! The correct way would be the other way round and 301 all HTTP requests to HTTPS+HSTS(+preloading). > A holding page, with a "We're really sorry but this doesn't work, > click here to return to http://"; would be a more graceful way to > degrade the security of the site. Is guidance on that point useful? Guidance is simpel: If there is working HTTPS, use it. If there isn’t working HTTPS, upgrade to it. Any other practice is insecure and poses a threat if not harm to visitors. Yes, I know it’s sometimes hard to convince site owners. See Amazon who is still doing exactly that. Best regards Pepi
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Ach mailing list Ach@lists.cert.at http://lists.cert.at/cgi-bin/mailman/listinfo/ach
