On Mon, 07 Dec 2015 14:48:52 +0000, Kapps wrote:
> On Monday, 7 December 2015 at 14:38:39 UTC, Steven Schveighoffer wrote:
>> I'm surprised it wouldn't. I wouldn't think a redirect would need to be
> It does. Otherwise you could bypass HTTPS entirely by replacing the
> redirect page with a non-encrypted copy of the dlang website with
> whatever modifications you like.
Well, only if you're trying to protect against MITM attacks. If you're
only worried about people packet sniffing, you can redirect from an
unencrypted page without a care.
In a situation like this, where approximately no sensitive information is
going back and forth, MITM isn't much of a concern (and packet sniffing
isn't, either, for the most part, except if you're logging in with a
password you reuse elsewhere).