1

Edit: this question is more complete than mine.

I sometimes login to a website that provides both HTTP and HTTPS, even for the login page. Although I use HTTPS to encrypt my credentials, it would be easy to make the mistake of using HTTP, and transmit the credentials for the world to see. Is there any reason for a site not to redirect to HTTPS?

Dan R.
  • 113
  • 3
  • 3
    "I sometimes login to a website that provides both HTTP" Browsers will today frown upon that, see https://www.thesslstore.com/blog/firefox-chrome-warning-about-insecure-login-pages/; "Although I use HTTPS to encrypt my credentials" That may not provide any benefit if the login page was over HTTP because it could have been hijacked in the transport with changes in the form or just adding a script copying the data entered elsewhere. The login page itself MUST BE fetched over HTTPS, and preferably without any redirection (At least not from HTTP world). A local ookmark (to HTTPS) is best. – Patrick Mevzek Sep 05 '21 at 03:35
  • 1
    Related: What is the benefit of forcing a site to load over SSL (HTTPS)? – Maximillian Laumeister Sep 05 '21 at 04:18
  • 1
    This answer on ServerFault is a good answer to your question.

    https://serverfault.com/questions/841954/is-there-any-reason-not-to-enforce-https-on-a-website

     – Mike Ciffone Sep 05 '21 at 04:42
  • I closed this question because it was written from the perspective of somebody using somebody else's website. If you were to edit this to make it about your own website, it would be on-topic here. – Stephen Ostermiller Sep 05 '21 at 10:02
  • 1
    "...both HTTP and HTTPS, even for the login page" - Note that what is important is where the form is submitted to. The page itself might be HTTP, but if the <form> submits to HTTPS then the form submission is encrypted. – MrWhite Sep 05 '21 at 11:14

1 Answers1

1

There are very few good reasons and its most likely a badly setup site nothing more. It is not uncommon for hosting providers to set up both http and https for a site for maximum flexibility & and to expect the application to do the appropriate redirection.

In some corner cases http can make sense - if the site data is not sensitive and it is communicating with old or very low power devices (https has a high computational overhead, including the negotiation and computation of the encryption. It also requires updates for certs. Some simple devices - like IOT hardware- may simply not have the capacity to handle this. (An IOT computer xan be had for $5 - not much power on them)

davidgo
  • 7,904
  • 1
  • 18
  • 26