Moving from HTTPS to HTTP

Question

My WordPress client no longer wants SSL encryption. Currently, I have the following in .htaccess to force SSL encryption:

RewriteEngine on

RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
RewriteRule ^(.*)$ https://%1/$1 [R=301,L]

RewriteCond %{HTTPS} !on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

Previous visitors' browsers will automatically try for HTTPS because of the 301 I believe. How can I move to HTTP (unsecure) without having previous visitors run into issues?

Answer 1

I can't think of any good reason why you would want to do this; especially in 2017. There are a number of factors against you:

1. You need to still keep a valid SSL cert in place in order to redirect from HTTPS back to HTTP. You would need to do this for all the inbound links to https, search engine indexes, bookmarks, etc. As mentioned in this other question, without a valid SSL cert in place, the user sees a browser warning before the request even reaches your site. (If you need to keep the SSL cert in place then why not use it properly?)

2. Any browser that has cached the HTTP to HTTPS 301 redirect will naturally be redirected to the HTTPS site. Without a valid SSL cert they will see a browser warning. With a valid SSL cert the user will be redirected back to HTTP (but this also depends on whether the page/resources are also cached). However, this can result in a (partial) redirect loop - depending on the browser, you might get a momentary warning (ERR_TOO_MANY_REDIRECTS) before the browser resolves the conflict. Some browsers may not resolve the conflict, so the user may be left looking at an error until they manually clear their browser cache.

   To minimise this redirection issue, reduce all caching to a bare minimum and change any essential redirects to 302 (temporary) far in advance of moving back to HTTP. Neither of which is ideal.

3. Google Chrome currently warns users when they are entering username/password and/or payment information over an insecure (HTTP) connection. This will naturally include logging into WordPress. You get a "Not Secure" message in the browsers address bar. Google plan to extend this behaviour to Incognito mode (all sites) and eventually to everything. This will make it very difficult for any site to stay on plain old HTTP.

   See the following related question on the Pro Webmasters stack:

   • Are there other options besides HTTPS for securing a website to avoid text input warnings in Chrome?

   And Google's Security Blog post announcing the proposed changes:

   • Google Security Blog - Moving towards a more secure web - September 8, 2016

4. With the introduction of free/automated CA's like Let's Encrypt it's not so much a money-thing these days if you simply want to enable encryption.

So, I think educating your client would be the better option.