HTTPS first - it's time!
In short
HTTP to HTTPS redirects aren't always configured. Solution options:- Browsers should change resolving to HTTPS first, when unspecified!
- perhaps then attempting HTTP as a fallback. #upForDiscussion
- Chrome extensions that :
- "As a browser that has received a failed HTTP response (ERR_EMPTY_RESPONSE*), I would like myself (the browser) to resolve to try the same path with a secure path instead (HTTPS), so that my pages that don't have an apache redirect to HTTPS will work without my banging my head on the wall."
In longer
Many systems today use (and should use!) HTTPS for web communication. The browsers today, though, still try attempt HTTP first when resolving a request for, say, www.xeyecle.com... but *sometimes* there are servers out there that don't have a REWRITE condition on their servers, nor a 301 redirect at the Nginx web server level... and sometimes the groups that own these items are <insert legitimate, rude, or ignorant excuse here> to do it.When these web servers aren't configured correctly, we're letting users go a) not as secure as one could be, or maybe worse yet (which is what has prompted my writing this) the page just ERR_EMPTY_RESPONSE's out - forcing you to manually update the path to HTTPS. #manualWorkOye!
Do note this is something that I've observed internally, with applications that are hosted on-prem, and not particularly "customer" facing - but it's a cost, and that's how I see it... an inefficiency inducing cost. #akaOpportunity
Solution thoughts:
A) I'd first call for browsers to implement HTTPS-first logic into browsers.
- At the lowest, 66% is the load of pages loaded over HTTPS in Chrome. In the US, 84% of pages load over secure protocol, yow! *ref1
- Let's solve for our actual users... give those redirects Apache servers a break! ;-)
B) If we can't get this to happen, in the interim i would selfishly like someone to develop a chrome extension for me that would effectively either complete this user story:
"As a browser that has received a failed HTTP response (ERR_EMPTY_RESPONSE*), I would like myself (the browser) to resolve to try the same path with a secure path instead (HTTPS), so that my pages that don't have an apache redirect to HTTPS will work without my banging my head on the wall."
- Though I ponder, now, if it would be better to not JUST wait for this error scenarios, and force-try HTTPS first....
or C) Of course, we just do the right thing for *all* our users and do stuff like.. implement 301s :)
- https://stackoverflow.com/questions/4083221/how-to-redirect-all-http-requests-to-https
- https://www.keycdn.com/blog/http-to-https/
*ref1: Google's Transparency report that states in the US https://transparencyreport.google.com/https/overview?hl=en&time_os_region=chrome-usage:1;series:time;groupby:os&lu=load_os_region&load_os_region=chrome-usage:1;series:page-load;groupby:os
p.s. URLs posted in C are simply gooogled referenced - there may be better sources, but wanted to put a couple resources down to get ya goin'.
Post-p.s. I find it comical that I write this shit. Hope it'll help someone somewhere someday. ¯\_(ツ)_/¯
UPDATE: I added this as a comment, but i didn't like how it resolves, so adding it here now too:
NOTE: these old arguments seem antiquated:
https://security.stackexchange.com/questions/4369/why-is-https-not-the-default-protocol and https://security.stackexchange.com/questions/81801/why-do-browsers-default-to-http-and-not-https-for-typed-in-urls(2011 and 2015, respectively)
Know, too, that (lol, it's http and doesn't redirect!) Chromium is thoughtful on this, but it think we could get bolder:http://www.chromium.org/Home/chromium-security/marking-http-as-non-secure
Comments
Post a Comment