On Nov 04, 2015 at 1820 +0100, Rainer Hoerbe appeared and said: > > > Am 04.11.2015 um 17:47 schrieb Pepi Zawodsky <[email protected]>: > > > > Hoi! > > > >> On 04 Nov 2015, at 17:23, James Davis <[email protected]> wrote: > >> > >> I've encountered a few sites where manually switching to https:// > >> produces a broken site, and others where every https:// request is > >> successful but immediately redirects to the http:// > >> equivalent(presumably because it's thought more usable than a site > >> that's not working with a https:// URL), resulting in an insecure > >> connection even though the user typed https://. > > Redirecting from working HTTPS to HTTP is just stupid. > > Which does not prevent major vendors of IT security solutions doing this.
If you follow the advice of major vendors of IT security solutions we probably will be using DES and RC4 until 2035. I don't think this is a good yardstick. > > … > > Guidance is simpel: > > If there is working HTTPS, use it. > > If there isn’t working HTTPS, upgrade to it. > > Any other practice is insecure and poses a threat if not harm to visitors. > > OTOH I saw claims that advertising links (W3C PING list IIRC) would not be > working properly if the landing page is HTTPS. Some guidance on that would be > helpful. Do you have any links to sources? I am curious. Regarding the HTTP/HTTPS issue, it might also be undesirable to use both for the same content, because some search engines give penalties for duplicate content. Don't know if this also applies to the HTTP/HTTPS duality. > > Yes, I know it’s sometimes hard to convince site owners. See Amazon who is > > still doing exactly that. Site owners and CDNs, that is. Cheers, René. -- )\._.,--....,'``. fL Let GNU/Linux work for you while you take a nap. /, _.. \ _\ (`._ ,. R. Pfeiffer <lynx at luchs.at> + http://web.luchs.at/ `._.-(,_..'--(,_..'`-.;.' - System administration + Consulting + Teaching - Got mail delivery problems? http://web.luchs.at/information/blockedmail.php
signature.asc
Description: PGP signature
_______________________________________________ Ach mailing list [email protected] http://lists.cert.at/cgi-bin/mailman/listinfo/ach
