2

HI There,

I want to convert my whole website from HTTP to HTTPS , here are some questions

  1. should we have both 80 and 443 open
  2. when i access https://mypage.mydomain.com does the traffic come to 80 or 443
  3. does all the browsers accessing HTTPS should have certificates installed .
  4. what happens if there is no certificate installed on the browser ,does it direct the traffic to 80.

any suggestions/comments will be highly helpful

Regards Deepak

3 Answers3

7

1 - you'll need port 80 open for people who don't specify the protocol - ie they just type www.domain... You'll also need a redirect to bump these people to port 443

2 - 443 - make sure that all resources (images, css, javascript, etc) are also https, or you'll get a mixed content warning

3 - client browsers won't need anything special as long as your ssl certificate is issued by a known provider. most browsers have lots of trusted authority certificates packaged with them (sorry, not exactly sure of the correct terminology)

4 - see above; shouldn't apply at all

Antony
  • 488
1
  1. Maybe. You could put a holding page on port80 and redirect to the HTTPS version. This may save users having to remember they are supposed to use HTTPS
  2. 443

3 & 4 are confusing. What do you mean by browser certificates? Most browsers have some trusted root certificates installed (or use the operating system's trusted certificates). What they won't have is a certificate of their own, identifying them, unless you're in a corporate environment that has issued them.

If in 4 you are asking what happens if a browser encounters a certificate error (like a self signed certificate it doesn't know if it can trust), then that's browser dependant. Generally they warn the user and ask them if they want to continue.

blowdart
  • 206
  • 2
  • 3
1
  1. You need only keep 80 if you still want to allow plain HTTP access
  2. Access to https will default to 443
  3. No. The browser does not need a certificate installed, for HTTPS its the server which requires the certificate. If the servers certificate authority does not ultimately track back to a known root certificate authority then the browser does give the user a warning tha the site certificate cannot be fully authenticated. However this does not prevent HTTPS if the user chooses to continue.
  4. See 3.
AnthonyWJones
  • 225