> Am 04.11.2015 um 17:47 schrieb Pepi Zawodsky <[email protected]>: > > Hoi! > >> On 04 Nov 2015, at 17:23, James Davis <[email protected]> wrote: >> >> I've encountered a few sites where manually switching to https:// >> produces a broken site, and others where every https:// request is >> successful but immediately redirects to the http:// >> equivalent(presumably because it's thought more usable than a site >> that's not working with a https:// URL), resulting in an insecure >> connection even though the user typed https://. > Redirecting from working HTTPS to HTTP is just stupid.
Which does not prevent major vendors of IT security solutions doing this. > > Contact the site’s owner to stop actively posing harm to visitors with this > practice. Please start with Amazon! The correct way would be the other way > round and 301 all HTTP requests to HTTPS+HSTS(+preloading). > > >> A holding page, with a "We're really sorry but this doesn't work, >> click here to return to http://"; would be a more graceful way to >> degrade the security of the site. Is guidance on that point useful? > > Guidance is simpel: > If there is working HTTPS, use it. > If there isn’t working HTTPS, upgrade to it. > Any other practice is insecure and poses a threat if not harm to visitors. OTOH I saw claims that advertising links (W3C PING list IIRC) would not be working properly if the landing page is HTTPS. Some guidance on that would be helpful. - Rainer > > > Yes, I know it’s sometimes hard to convince site owners. See Amazon who is > still doing exactly that. > > Best regards > Pepi > > > _______________________________________________ > Ach mailing list > [email protected] > http://lists.cert.at/cgi-bin/mailman/listinfo/ach _______________________________________________ Ach mailing list [email protected] http://lists.cert.at/cgi-bin/mailman/listinfo/ach
