- From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
- Date: Thu, 27 Aug 2015 12:23:24 +0300
- To: Maxthon Chan <xcvista@me.com>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
On Thu, Aug 27, 2015 at 05:08:03PM +0800, Maxthon Chan wrote: > Your proposal does not solve my second scenario, which I will > describe in detail here. > > Let’s say a software package, for example VMware vSphere, includes > a HTTPS-only server, listening on port 5443. Usually to access the > said software package you type this into the browser’s address bar: > https://vsphere.example.org:5443/. What if you accidentally dropped > the ‘s’ in ‘https’? It would be PITA to add the s between http and > the colon if the user does not have a mouse, which is very, very > common now. Sniff the connection type (from the first byte client sends[1]) and if http://, send redirect to https://? (And because the stuff is insecure, that redirect does not require any authentication). [1] HTTPS connections start with 0x16, HTTP connections start with printable character. -Ilari
Received on Thursday, 27 August 2015 09:23:53 UTC