Welcome to WebmasterWorld Guest from 54.196.190.32

Forum Moderators: Ocean10000 & phranque

Message Too Old, No Replies

HTTPS wth fallback to HTTP

     
7:43 pm on Feb 26, 2018 (gmt 0)

Junior Member

joined:Feb 22, 2018
posts:146
votes: 22


Hi

This is not especially for Apache, but I couldn't find where else to post.

Reading at some other topics about HTTPS, and problems with old browsers/OS, I was wondering if there is a way to address this.

Like for example, if a browser doesn't support a particular HTTPS configuration (SNI, cipher list, etc...), to fall back to a normal HTTP connection.

I guess it's not possible, because it could certainly be exploited by hackers, but I though I had nothing to loose asking.
8:48 pm on Feb 26, 2018 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Sept 25, 2005
posts:1982
votes: 330


Asked and answered ;-) A fallback would undermine the whole thing. And if the handshake fails, there's no connection to provide a fallback on.

You can support non-SNI clients by not relying on SNI. Ciphers, like protocol versions, simply have to go once they become insecure.
9:52 pm on Feb 26, 2018 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:15253
votes: 691


In theory you could achieve it by simply not having a protocol-based redirect at all, letting the site remain accessible by both HTTP and HTTPS. In practice you'd want a good deal of user-agent detection, so only the very oldest browsers are exempted from the redirect. And then you'd have to pay keen attention to all HTTP requests to make sure you don't have malign robots getting in the easy way.
12:14 am on Feb 27, 2018 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 890


@lucy24 - yes, but why... to enable a few stubborn luddites, giving them reason not to join the present? These are the same guys that keep that fertile breeding ground for viruses alive.

It would also be a nightmare to maintain.
1:22 am on Feb 27, 2018 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:15253
votes: 691


a few stubborn luddites
Didn't you yourself only just get through talking in a different thread about visitors from Third World countries who may not have much choice? Even in North America you'll get things like impoverished reservation schools creaking along on satellite connections using a donated computer from 1997. That's why we all keep stressing that access control is a matter of individual decisions rather than one size fits all.
1:51 am on Feb 27, 2018 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 890


Didn't you yourself only just get through talking in a different thread about visitors from Third World countries...
Yeah, but I certainly wasn't defending them :)

I was giving the only example I've encountered when switching to HTTPS that could cause a drop in traffic.

...who may not have much choice?
They certainly have *many* choices. Even if they were on a limited budget, M$ was giving away Windows 10 for FREE for over a year. All they had to do was click a button. If their machines didn't have the specs to upgrade, it should be tossed anyway IMO.

Older machines/browsers that have EoL'd and no longer receive security updates are probably the most to blame for viruses and malicious attacks because they are vulnerable.

- -
8:47 am on Feb 27, 2018 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Sept 25, 2005
posts:1982
votes: 330


It's a fine line between backward compatibility and taking away the incentive to upgrade.

Selfish beings that we are, I'd say the "nightmare to maintain" argument is most likely to sway us ;-)
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members