W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2015

STARTTLS for HTTP (both versions)

From: Maxthon Chan <xcvista@me.com>
Date: Thu, 27 Aug 2015 13:34:38 +0800
Message-id: <1CAB4A93-5AFB-4879-9624-A309F8667F00@me.com>
To: HTTP Working Group <ietf-http-wg@w3.org>
Hello List.

This idea may have appeared here, but I think it still worth some consideration.

From time to time a website author may want to tell the browser (and user) that their website prefers (or can only be accessed through) HTTPS for connection. Currently this requires server-side rewrite voodoo which requires quite complex configuration on the server. Also there are scenario that a user accidentally access HTTPS site with HTTP requests.

Here I suggest, by using the Upgrade header, to implement some kind of STARTTLS so:

1) the web browser can know and cache the fact that the site prefers HTTPS over HTTP,
2) The accidental HTTP access on HTTPS port can be redirected properly.

The proposed Upgrade syntax is:

Upgrade: STARTSSL[:port]

If the port is omitted, the connection starts TLS handshake immediately after this response in place on the existing connection. If not, even when the port is the same as the current port, current connection is closed and a new connection is made to the port and TLS handshake starts there.

Examples:

The Upgrade header looks like this when visiting http://example.org/ but the site prefers https://example.org/:

Upgrade: STARTTLS:443

For accidental HTTP to HTTPS port, like visiting http://vsphere.example.org:5443/ while the server is HTTPS-only at https://vsphere.example.org:5443/ (I make this kind of mistake a lot when managing VMware vSphere clusters) the browser can get this:

Upgrade: STARTSSL
Received on Thursday, 27 August 2015 05:35:45 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:46 UTC