STARTTLS for HTTP (both versions)

Hello List.

This idea may have appeared here, but I think it still worth some consideration.

From time to time a website author may want to tell the browser (and user) that their website prefers (or can only be accessed through) HTTPS for connection. Currently this requires server-side rewrite voodoo which requires quite complex configuration on the server. Also there are scenario that a user accidentally access HTTPS site with HTTP requests.

Here I suggest, by using the Upgrade header, to implement some kind of STARTTLS so:

1) the web browser can know and cache the fact that the site prefers HTTPS over HTTP,
2) The accidental HTTP access on HTTPS port can be redirected properly.

The proposed Upgrade syntax is:

Upgrade: STARTSSL[:port]

If the port is omitted, the connection starts TLS handshake immediately after this response in place on the existing connection. If not, even when the port is the same as the current port, current connection is closed and a new connection is made to the port and TLS handshake starts there.

Examples:

The Upgrade header looks like this when visiting http://example.org/ but the site prefers https://example.org/:

Upgrade: STARTTLS:443

For accidental HTTP to HTTPS port, like visiting http://vsphere.example.org:5443/ while the server is HTTPS-only at https://vsphere.example.org:5443/ (I make this kind of mistake a lot when managing VMware vSphere clusters) the browser can get this:

Upgrade: STARTSSL

Received on Thursday, 27 August 2015 05:35:45 UTC