-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 04/11/2015 16:47, Pepi Zawodsky wrote:
> Redirecting from working HTTPS to HTTP is just stupid. ... Guidance > is simpel: If there is working HTTPS, use it. If there isn’t > working HTTPS, upgrade to it. Any other practice is insecure and > poses a threat if not harm to visitors. I agree with you that it's stupid and that your guidance is the ideal approach but in some instances people aren't in control of the entire environment. Perhaps the application that doesn't support HTTPS is looked after by a different team, division or department than the one that requires HTTPS and there's a different team again configuring Apache, or perhaps this is just an interim measure whilst they negotiate with external contracts to fix the errors displayed when viewing the pages over HTTPS. In those cases something pragmatic may be required, something along the lines of: "Don't redirect HTTPS users to HTTP, it's a bad idea. Fix things instead. Really, fix them. But if you really have no choice, don't use a 301 redirect, instead have a holding page with a clear explanation for the user" James - -- James Davis, Information Security Manager +44 1235 822229 Lumen House, Library Avenue, Didcot, Oxfordshire, OX11 0SG ============= Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc's registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800. ============ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2 iQIbBAEBCAAGBQJWO4twAAoJED9R4Wv4u3eild4P+MsWa2XzzyqUbGFujCjCmeDv FS+MG7my6Kkznd1hmFupEO+l2XUMa4QvMN532bJ9gCsnj6Ixf0j5PGZs5E1bDJxm EoYg5XCTgQ/F4ozbeSTzLCCTpQyvI9crJ+JtlfbRzreleogyzcFAHPkTYIliGUtI Am0nTUoJFo0Nzzexm3hqVunogvI3zJxrjQQKS3qSQGB4r5ErOXuFjDsDakvEFKEy eRSZdjXqCQLinY3GKlZ284NEFuy10rDAh6i3CjBSg42jg//Ur7GGxlz1y9hQKHfk IIUQvX/tcWR53VFunM4Rr0L2EhzrFE4wqAamH5d8QOsPie4ffH/ZXCH4DV2d0qHl cTiO9RY0Uy23noAFa4OzfffnmPvR5UtnY6ppswvFFXIc9m3c73+8xV0P7k0B9jAB SdsWN7zYc2YhMMo6Oh49mC2iH2+DyQl9VtNLbk9S0QqhRDhag1HlnI5hLgo7Fgfn 8eqEuDY1eK6Tv1oAZdf+fvZWVZFOCS2vkkz8fLWJ1iR+rhgYty4eVYccaoepH/P+ MnmHOM+T3Pg8vjTX+QYmy8c9zxSYvH3IXCuBqGsSypBWLb1y/4dwptn2cntSKZ9V f2n6MrolEHPrT0zoy5hcffZNpG62+5BxykQWHnSf+q2qRd6n1suEo8xjWrtbZWNV B6Ji2IjVTxSEhG+uaaA= =YWKW -----END PGP SIGNATURE----- _______________________________________________ Ach mailing list [email protected] http://lists.cert.at/cgi-bin/mailman/listinfo/ach
