CODEWITHSUNDEEP
browserssl
Derek
Derek

Reputation: 11915

How does SSL work on Re-directs?

I am interested in trying to figure out exactly what is going on when a user types in, for example

https://www.bing.com

which lands them on 

http://www.bing.com

If you'll notice, www.bing.com apparently doesnt support https, so the page returned has no cert associated with it. Shouldn't the browser complain about this? What's more, is that when looking at the HTTP headers, I never actually see a ridirect or anything that indicates this page returned is not the https version (guess I was expecting some indication this happened).

For another example, gmail does something similar -

I go to https://gmail.com

and I end up on mail.google.com or accounts.google.com depending on whether I'm logged in or not. At least these sites give me a cert, unlike bing, but how come the browser doesn't complain that the URL's are mismatched? It seems like I should also get a cert for gmail.com is that case, right? (the cert on the gmail redirect is good for mail.google.com, but makes no mention wildcard or otherwise of gmail.com)

Upvotes: 0

Views: 208

Answers (1)

josh3736
josh3736

Reputation: 144912

There's nothing special going on. It's a simple HTTP redirect, but you'll only see it if you ignore the SSL certificate error. (https://www.bing.com currently serves a certificate issued to akamai.) Remember, once you tell your browser to ignore the cert error, it will generally remember that choice for the rest of the session.

If you instruct your browser to ignore the SSL certificate error, the following happens inside a SSL-encrypted connection:

GET https://www.bing.com/ HTTP/1.1
Host: www.bing.com
Connection: keep-alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.73 Safari/537.36
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8,es;q=0.6

HTTP/1.1 302 Moved Temporarily
Server: AkamaiGHost
Content-Length: 0
Location: http://www.bing.com/
Date: Thu, 02 May 2013 22:02:28 GMT
Connection: keep-alive

There's no rule against a HTTPS site redirecting to plain HTTP1, so the browser just does a normal request for http://www.bing.com. Since we're now on a plain HTTP page, there's nothing to display (warning or otherwise) regarding certificates.

1 - except in certain situations involving POST requests, where some browsers issue warnings.

The other sites you mention work similarly, except the redirect from gmail.com is to https://mail.google.com. mail.google.com has its own certificate, distinct from https://www.gmail.com's certificate.

Upvotes: 1

Related Questions