[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Lynx-dev] lynx and https,
|
From: |
Tim Chase |
|
Subject: |
Re: [Lynx-dev] lynx and https, |
|
Date: |
Mon, 23 Oct 2017 16:11:16 -0500 |
On 2017-10-23 14:48, address@hidden wrote:
> Does that mean the browser never tries to access port 80?
> This would make no sense. I suppose it would make sense if the
> browser queried the target domain first, but what difference would
> that make? What's the difference between a browser trying to access
> port 80 but being redirected to port 443 and the browser asking the
> target domain if it serves port 80?
That's the whole promise of HSTS. The first time the web-browser
connects to the site, it would include the HSTS header which asserts
"From now until $DATE, I promise will never ever ask for any resource
over HTTP(non-S), so if you see an insecure HTTP URL, it's
wrong." I don't remember the details of whether the browser is
supposed to automatically upgrade HTTP links to HTTPS or whether it
should/can be treated as an error condition.
When developing a site, you might set the valid-until-$DATE to really
short in case you break something with your certificates; then once
you have things working, set it for a nice long time-frame as an
assertion that you only communicate over encrypted connections.
-tim
- Re: [Lynx-dev] lynx and https,, (continued)
- Re: [Lynx-dev] lynx and https,, Tim Chase, 2017/10/15
- Re: [Lynx-dev] lynx and https,, Chime Hart, 2017/10/15
- Re: [Lynx-dev] lynx and https,, Tim Chase, 2017/10/15
- Re: [Lynx-dev] lynx and https,, Chime Hart, 2017/10/15
- Re: [Lynx-dev] lynx and https,, David Woolley, 2017/10/16
- Re: [Lynx-dev] lynx and https,, Tim Chase, 2017/10/16
- Re: [Lynx-dev] lynx and https,, Thomas Dickey, 2017/10/22
Re: [Lynx-dev] lynx and https,, russellbell, 2017/10/23
Re: [Lynx-dev] lynx and https,, russellbell, 2017/10/23
- Re: [Lynx-dev] lynx and https,,
Tim Chase <=