HTTPS wth fallback to HTTP

Forum Moderators: phranque

Message Too Old, No Replies

HTTPS wth fallback to HTTP

TravisDGarrett

7:43 pm on Feb 26, 2018 (gmt 0)

Hi

This is not especially for Apache, but I couldn't find where else to post.

Reading at some other topics about HTTPS, and problems with old browsers/OS, I was wondering if there is a way to address this.

Like for example, if a browser doesn't support a particular HTTPS configuration (SNI, cipher list, etc...), to fall back to a normal HTTP connection.

I guess it's not possible, because it could certainly be exploited by hackers, but I though I had nothing to loose asking.

robzilla

8:48 pm on Feb 26, 2018 (gmt 0)

Asked and answered ;-) A fallback would undermine the whole thing. And if the handshake fails, there's no connection to provide a fallback on.

You can support non-SNI clients by not relying on SNI. Ciphers, like protocol versions, simply have to go once they become insecure.

lucy24

9:52 pm on Feb 26, 2018 (gmt 0)

In theory you could achieve it by simply not having a protocol-based redirect at all, letting the site remain accessible by both HTTP and HTTPS. In practice you'd want a good deal of user-agent detection, so only the very oldest browsers are exempted from the redirect. And then you'd have to pay keen attention to all HTTP requests to make sure you don't have malign robots getting in the easy way.

keyplyr

12:14 am on Feb 27, 2018 (gmt 0)

@lucy24 - yes, but why... to enable a few stubborn luddites, giving them reason not to join the present? These are the same guys that keep that fertile breeding ground for viruses alive.

It would also be a nightmare to maintain.

lucy24

1:22 am on Feb 27, 2018 (gmt 0)

a few stubborn luddites

Didn't you yourself only just get through talking in a different thread about visitors from Third World countries who may not have much choice? Even in North America you'll get things like impoverished reservation schools creaking along on satellite connections using a donated computer from 1997. That's why we all keep stressing that access control is a matter of individual decisions rather than one size fits all.

keyplyr

1:51 am on Feb 27, 2018 (gmt 0)

Didn't you yourself only just get through talking in a different thread about visitors from Third World countries...

Yeah, but I certainly wasn't defending them :)

I was giving the only example I've encountered when switching to HTTPS that could cause a drop in traffic.

...who may not have much choice?

They certainly have *many* choices. Even if they were on a limited budget, M$ was giving away Windows 10 for FREE for over a year. All they had to do was click a button. If their machines didn't have the specs to upgrade, it should be tossed anyway IMO.

Older machines/browsers that have EoL'd and no longer receive security updates are probably the most to blame for viruses and malicious attacks because they are vulnerable.

- -

robzilla

8:47 am on Feb 27, 2018 (gmt 0)

It's a fine line between backward compatibility and taking away the incentive to upgrade.

Selfish beings that we are, I'd say the "nightmare to maintain" argument is most likely to sway us ;-)