https:// versus http:// - why whould it be a problem?

There’s a story on the BBC News page about problems caused by an incorrect URL given in a letter sent to exam candidates, for a site to access results.

The correct URL is https://res.sqainfo.net
The “incorrect” one is http://res.sqainfo.net

I know what the difference is between https and http, but surely

a) hardly anyone would bother typing in the “http://” part and would just type “res.sqainfo.net”, and
b) even if you type in http://… any browser I try will automatically redirect to https:// if it detects a secure site.

Why would this have cause any problems at all?

And the browser would in all likelihood default to using http.

Does the browser do the redirect, or does the webserver issue a http redirect? If the webserver in question did not issue a redirect, then there would be a big problem.

Hmm, I guess that could be it. I assumed it was a browser thing, as I have never ever typed in https:// when visiting secure sites, but maybe the server has to be set up with a redirect?

Looks like SQA have sorted out a redirect now. A bit of a story about nothing, but exam results do conveniently fall in the middle of silly season, so there’s a lot of bored journalists looking for anything which remotely seems like a story.

If the site accepts both http(port 80) and https(port 443, SSL) connections, then failing to include the “s” will mean a difference - you’ll be connecting in essentially clear text, bad for security if you’re sending a username and password.

You can set your site to accept ONLY https connections across the whole site, or just for pages that require security, like logins.

If you do that, then your server will serve up an error page if you forget the “S”.

If the site owners don’t want that to happen, they can replace the generic error page for that error with a custom page that redirects to the https URL.

All the above applies to IIS. Other web servers may do things differently.

It does depend on how things are set up. You can redirect an http:// link to the correct https:// site, but if you forget, typing the url (without the “https://”) will go to the http. If the site isn’t redirected or set up to change http to https, then you get a 404 error.

From a usability point of view, it’s usually not a big deal. Like others said, the server will most often redirect you or otherwise deal with it.

From a security perspective, however, it can be dangerous to rely on the server redirect. HTTPS does two things that regular HTTP does not: One, it secures data between you and the server (encryption); and two, it makes sure that the website at a given address is really the website it claims to be (authentication).

One: Not every website will automatically redirect you to the secure version – Gmail and Amazon are two examples, and there are others. The security of HTTPS costs more in terms of server resources, so sometimes web servers will just give you the plaintext, HTTP version unless you specifically ask for a secure connection. This means that the data you send can be seen by anybody who can monitor your connection… a potential problem at workplaces, schools, and places with insecure wireless connections.

Two: Although more of a theoretical issue than a practical concern, regular HTTP provides no authentication. It’s theoretically possible for a middleman to put up a fake version of a given website and feed it to you through your internet connection. Without HTTPS, your browser would have no way of knowing it was fake. For example, if you were accessing the Internet through a router, an unscrupulous administrator could mess with the router software or DNS settings and take you to any page of his own making when you type in res.sqainfo.net or gmail.com. Or if you’re sitting at a cafe with an insecure wireless hotspot, a bored hacker could theoretically do something similar. If you’ve ever been at a Starbucks and tried to access the Internet through the T-Mobile hotspot, you’ll notice that any URL you type in will first take you to the T-Mobile login page… now imagine if somebody replaced that login page with a fake (but real-looking) login page for the site you were actually trying to access. You type in your info, and now they have your login.

On the other hand, if you manually type in HTTPS from the beginning, you’re telling your browser to forcibly seek out proper security certificates before showing you the website, making these “man-in-the-middle” attacks more difficult. A middle-man could try the same thing as before, but because he wouldn’t have the official sqainfo.net or Amazon.com or whatever security certificate, your browser would give you an error.