-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 I noticed that there's a number of mentions on redirecting http:// requests to https:// but there's nothing about the other way around.
I've encountered a few sites where manually switching to https:// produces a broken site, and others where every https:// request is successful but immediately redirects to the http:// equivalent(presumably because it's thought more usable than a site that's not working with a https:// URL), resulting in an insecure connection even though the user typed https://. A holding page, with a "We're really sorry but this doesn't work, click here to return to http://"; would be a more graceful way to degrade the security of the site. Is guidance on that point useful? (although there's probably an argument to be made that someone who can create that holding page is probably competent enough to just fix the https:// problems!). James - -- James Davis, Information Security Manager +44 1235 822229 Lumen House, Library Avenue, Didcot, Oxfordshire, OX11 0SG ============= Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc's registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800. ============ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2 iQIcBAEBCAAGBQJWOjEQAAoJED9R4Wv4u3eiHTEP+QEMDcF/GC9FmsdMh54Ep1+A Zq2lFyZwHgeLN0yriwK2GqlmgqCNYluheIYfYdW0WZkZPRY0PL/6LUO9BxZ2i+Wx iRJd3PI9xcVGhuc7JZAudud3YhNYWvUwARQLffg/KqxmEimXUlwA6WNC+F4Ucf86 NvKZwJrbIufuRctgEVdhxvEnfvyu3yOGDvcIVU82Br960ulUT+hpRFMLGC/6sBKq LwWGXRxzKFwf5vgnbu1qRBBvrSxraUYPHuYVyRu/bTLkVdKHV+vC/LEf7StRERJe Ejdm4f3GLnizj4hPhdy77ZcxflAt+WhgqOJrlmBHc7Q0avp54mfyFRjNO33g7S6N 10OKxgq/9ZesuZLDiLNgXarkguOxeqCe5tX5m2xQV0OlyB5jBwIRsfXSC8j0M0Yy R7cypV4GpmJrBY4T+OuED6CqvSIkjuDAJ2MCjBfHwd0g2XSBk1HnVPnKCN62H/Sv vUt4kdXF/a3vWADf1WOTflNo9EK2t2eFhG4peHih8AVFEutDPmsZwoTMJgr3knpu GI7FO7T/LEvV4r5Ax8A1fTeE8IrkBnvXBt4W8fHUn75kGnF+ufjeYJyQf7YQQHpG l8miuYIM8hBdAOjEgQm8CYyJxebJMa3n2rNkbVKASl53Yab4Nfw1d7uGkeCY9hmc OWDuFTdFHNrxnFGkLig+ =aC/o -----END PGP SIGNATURE----- _______________________________________________ Ach mailing list [email protected] http://lists.cert.at/cgi-bin/mailman/listinfo/ach
