HTTPS Goofs: Forgetting the Bare Domain

As I mentioned, the top failure of HTTPS is failing to use it, and that’s particularly common in in-bound links sent via email, in newsletters, and the like. Unfortunately, there’s another common case, whereby the user simply types your bare domain name (example.com) in the browser’s address bar without specifying https:// first. For decades, manyContinue reading “HTTPS Goofs: Forgetting the Bare Domain”

As I mentioned, the top failure of HTTPS is failing to use it, and that’s particularly common in in-bound links sent via email, in newsletters, and the like.

Unfortunately, there’s another common case, whereby the user simply types your bare domain name (example.com) in the browser’s address bar without specifying https:// first.

For decades, many server operators simply had a HTTP listener sitting at that bare domain, redirecting http://example.com to https://www.example.com, changing from insecure HTTP to secure HTTPS and redirecting from the apex (base) domain to the www subdomain.

However, providing HTTPS support on your www subdomain isn’t really enough, you must also support HTTPS on your apex domain. Unfortunately, several major domains, including delta.com and royalcaribbean.com do not have HTTPS support for the apex domain, only the www subdomain. This shortcoming causes two problems:

  1. It means you cannot meet the submission requirements to HSTS-Preload your domain. HSTS preloading ensures that non-secure requests are never sent, protecting your site from a variety of attacks.
  2. Users who try to visit your bare domain over HTTPS will have a poor experience.

This second problem is only getting more common.

Browsers are working hard to shift all traffic over to HTTPS, adding new features including options to default all or user-typed requests to HTTPS. For some sites, like delta.com, the attempt to navigate to HTTPS on the apex domain will very slowly time out:

…while for other sites on CDNs like Akamai (who do not seem to support HTTPS for free), the user gets a baffling and scary error message because the CDN returns a generic certificate that does not match the target site:

It’s frustrating to me that Akamai even offers a “shoot self in foot” option for their customers when their competitors like Cloudflare give HTTPS away, even to sites on their free tier who don’t pay them anything.

Ideally, sites and CDNs will correct their misconfigurations, helping keep users secure and avoiding confusing errors.

On the browser developer side, it’s kinda fun to brainstorm what the browser might do here, although I haven’t seen any great ideas yet. For example, as I noted back in 2017, the browser used to include a “magic” feature whereby if user went to https://www.example.com but the cert only contained example.com, the user would be silently redirected to https://example.com to avoid a certificate error. You could imagine that the browser could introduce a similar feature here, or we could ship with a list of broken sites like Delta and Royal Caribbean and help the user recover from the site’s configuration error. Unfortunately, most of these approaches don’t meet a cost/benefit bar, so they remain unimplemented.

Please ensure that your apex domain loads properly over HTTPS!

-Eric


Print Share Comment Cite Upload Translate
APA
ericlaw | Sciencx (2024-03-29T14:48:28+00:00) » HTTPS Goofs: Forgetting the Bare Domain. Retrieved from https://www.scien.cx/2022/09/30/https-goofs-forgetting-the-bare-domain/.
MLA
" » HTTPS Goofs: Forgetting the Bare Domain." ericlaw | Sciencx - Friday September 30, 2022, https://www.scien.cx/2022/09/30/https-goofs-forgetting-the-bare-domain/
HARVARD
ericlaw | Sciencx Friday September 30, 2022 » HTTPS Goofs: Forgetting the Bare Domain., viewed 2024-03-29T14:48:28+00:00,<https://www.scien.cx/2022/09/30/https-goofs-forgetting-the-bare-domain/>
VANCOUVER
ericlaw | Sciencx - » HTTPS Goofs: Forgetting the Bare Domain. [Internet]. [Accessed 2024-03-29T14:48:28+00:00]. Available from: https://www.scien.cx/2022/09/30/https-goofs-forgetting-the-bare-domain/
CHICAGO
" » HTTPS Goofs: Forgetting the Bare Domain." ericlaw | Sciencx - Accessed 2024-03-29T14:48:28+00:00. https://www.scien.cx/2022/09/30/https-goofs-forgetting-the-bare-domain/
IEEE
" » HTTPS Goofs: Forgetting the Bare Domain." ericlaw | Sciencx [Online]. Available: https://www.scien.cx/2022/09/30/https-goofs-forgetting-the-bare-domain/. [Accessed: 2024-03-29T14:48:28+00:00]
rf:citation
» HTTPS Goofs: Forgetting the Bare Domain | ericlaw | Sciencx | https://www.scien.cx/2022/09/30/https-goofs-forgetting-the-bare-domain/ | 2024-03-29T14:48:28+00:00
https://github.com/addpipe/simple-recorderjs-demo