[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Lynx-dev] lynx and https,

From: Tim Chase
Subject: Re: [Lynx-dev] lynx and https,
Date: Mon, 23 Oct 2017 16:11:16 -0500

On 2017-10-23 14:48, address@hidden wrote:
>       Does that mean the browser never tries to access port 80?
> This would make no sense.  I suppose it would make sense if the
> browser queried the target domain first, but what difference would
> that make?  What's the difference between a browser trying to access
> port 80 but being redirected to port 443 and the browser asking the
> target domain if it serves port 80?

That's the whole promise of HSTS.  The first time the web-browser
connects to the site, it would include the HSTS header which asserts
"From now until $DATE, I promise will never ever ask for any resource
over HTTP(non-S), so if you see an insecure HTTP URL, it's
wrong."  I don't remember the details of whether the browser is
supposed to automatically upgrade HTTP links to HTTPS or whether it
should/can be treated as an error condition.

When developing a site, you might set the valid-until-$DATE to really
short in case you break something with your certificates; then once
you have things working, set it for a nice long time-frame as an
assertion that you only communicate over encrypted connections.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]