Widely deploying HTTPS is nice (as spearheaded by Let's Encrypt), but forcibly redirecting from the HTTP version of a site to the HTTPS address via server-side directives is sometimes problematic. Problem occurs with clients able to speak the simpler HTTP but not able to speak the more complicated HTTPS (or understand and obey the redirect), where upgrading the client is not possible, and the data being transmitted does not need cryptographic protection.
Better (arguably) is to leave both HTTP and HTTPS available, and widely deploy tools on the client side that redirect from HTTP to HTTPS, e.g., the HTTPS Everywhere browser extension, for clients which can speak HTTPS.
Inspired by several client tools and services broken by redirect-to-HTTPS.
No comments:
Post a Comment