You alerted me to a Firefox feature I had totally missed: Since Firefox
83 (2020-11-17) Firefox has had an option to enable HTTPS-Only Mode to
attempt to do the HTTP to HTTPS conversion with fall back that you
described. That option is DISABLED by default, even on a new install.
You can go to Settings, Privacy & Security, HTTPS-Only Mode at the
bottom of the options, and Enable it for "all windows", or just for
"private windows". Will try it out, as it is a rare site these days
that doesn't support https, and avoiding all http closes a possible
phishing exposure.
With HTTPS-Only Mode enabled in Firefox, for the site in question (on a
browser where no security exception has yet been made for that site
certificate), you receive an "HTTPS-Only Mode Alert, Secure Site Not
Available" alert because of the certificate mismatch, and the only
options are to proceed with just HTTP protocol or cancel the access.
If you instead use the URL with an explicit HTTPS, you can get to the
option to accept the "bad" certificate, and after that has been done
once, future auto-HTTPS conversion also works for the site, although you
still get the little warning triangle by the lock icon indicating
something is amiss.
A web server such as Apache can indeed also "force" a switch from http
to https by redirecting all or selected http traffic to https. Assuming
one wouldn't implement that on a server that wasn't also properly
configured to support https, failure on any currently supported browser
wouldn't be an issue. Such server-level techniques are still widely used
to support browsers without the auto-conversion support (or which have
that support disabled). Having this done at the browser level is a
better solution, but does require the fallback capability in case https
is not properly configured at some website.
Joel C Ewing
On 11/7/21 17:00, Paul Gilmartin wrote:
On Sun, 7 Nov 2021 15:44:18 -0600, Joel C. Ewing wrote:
...
I'm amazed IBM doesn't yet automatically convert http protocol to https
on all their websites, and hasn't yet changed all published links from
http to https.
I'm amazed that if the user omits the scheme and types merely the
domain name Firefox defaults to (hidden) http, not htps.
Firefox lately attempts to convert http to https but falls back to http on
failure. The client can do that; the server can't.
Compatibility. I suspect that conversion is done by a redirection
and the webmaster wishes to continue supporting old clients.
Just out of curiosity I tried
https://service.software.ibm.com/holdata/390holddata.html ,
and it does actually work (good), but in Firefox you have to override an
invalid security certificate (bad), ...
Might that be reported to IBM, which maintains a reputation for security?
(The embedded URLs to data files are explicitly https.)
... because the certificate at the
service.software.ibm.com website server is apparently only valid for
domains www.aix.software.ibm.com and aix.software.ibm.com, not for
service.software.ibm.com . Upon inspection, the certificate is
obviously owned by IBM, so if you understand certificates you can feel
confident that in this case a bad-certificate override is safe, but one
should not be required to override security warnings.
Maybe there are some obscure reasons IBM has to keep allowing http
access, but an explicit https access should at least be correctly
supported for all web content -- and that means having the proper
security certificates in place.
-- gil
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
--
Joel C. Ewing
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
