Reputation: 17107
Http to Https redirection not happening automatically
I am trying to access a secure website using this kind of url: https://securenet.someBank.com. Everything is good and I am shown the login page. Now when I just type:
http://securenet.someBank.com (i.e http instead of https) I expect to get back a page with https in the browser. (e.g when you say:http://mail.yahoo.com, you get back https://mail.yahoo.com).
But in this case https:://securenet.someBank.com just says :Page cannot be displayed.
So what did the website developer do wrong in implementing security? I am just curious. I thought this kind of thing (http --> https redirection) was handled automatically by the web server and the website developer does not even need to do anything. But apparently it is not so.
Upvotes: 0
Views: 1157
Answers (3)
Reputation: 681
besides the recommendation by Bruno above I would recommend you to read the following:
https://www.owasp.org/index.php/HTTP_Strict_Transport_Security
There are two things you could do:
1) Force HTTP Strict Transport Security 2) Do a permanent redirect as described in the example on that page.
Any questions, just let me know.
Fabio @fcerullo
Upvotes: 1
Reputation: 122749
The redirections from HTTP to HTTPS are merely a convenience for the user.
As I was saying in this answer on Webmasters.SE, only the end user can check whether HTTPS is used at all, and whether it's used correctly. A MITM attacker could otherwise prevent that initial redirection from happening at all.
These automatic redirections are only useful based on the assumption that there's no MITM performing such an attack. They're useful to get the user used to seeing HTTPS on pages that should be secure, but whatever happens, it will always be up to the user to check what they're connecting to. Therefore, I wouldn't necessarily call the absence of such a redirection a developer or sysadmin mistake.
As a user, you should always bookmark and use the https:// address for sites where you expect it should be used.
[...]
https://securenet.someBank.com. Everything is good and I am shown the login page. [...] But in this casehttps:://securenet.someBank.comjust says :Page cannot be displayed.
Here, assuming the double :: is a typo in your question, you seem to contradict yourself. If https://securenet.someBank.com just says "Page cannot be displayed", this would be a mistake indeed.
Upvotes: 1
Reputation: 1111
Probably wrong server configuration. For example in apache one must define a redirect option in httpd.conf file in order to automaticaly redirect to the https URL of the page.
Upvotes: 0
Related Questions
- Not redirecting from http to https automatically using .htaccess
- HTTP to HTTPS redirect not working with .htaccess
- Http to Https redirection issue?
- Automatically redirects from HTTPS to HTTP
- Redirect https not working as expected
- How to redirect traffic from http to https?
- HTTPS redirects to HTTP
- HTTP to HTTPS Redirection Issue
- secure redirect from https to http
- HTTP to HTTPS redirection in asp.net not working