• Welcome to Tux Reports: Where Penguins Fly. We hope you find the topics varied, interesting, and worthy of your time. Please become a member and join in the discussions.

force certain sites to use https?

J

Jeff Strickland

Flightless Bird
"Rob" <nomail@example.com> wrote in message
news:slrni0rom3.1qi.nomail@xs8.xs4all.nl...

> You did not get it.
>
> When the server allows the choice between http and https, the URL
> and thus the user determines what you get.
> The user may want to avoid mistakenly using http instead of https.
>
> That is what the OP was asking about.

The user wants his browser to go to the HTTPS site even if he inputs HTTP,
but HTTPS is available. He wants the browser to poll the site for HTTPS, and
go there if there is one, instead of the site he typed in.
 
R

Rob

Flightless Bird
Jeff Strickland <crwlrjeff@yahoo.com> wrote:
>
> "Rob" <nomail@example.com> wrote in message
> news:slrni0roo4.1qi.nomail@xs8.xs4all.nl...
>> Jeff Strickland <crwlrjeff@yahoo.com> wrote:
>>>
>>> "Rob" <nomail@example.com> wrote in message
>>> news:slrni0q5t0.vk4.nomail@xs8.xs4all.nl...
>>>> Jeff Strickland <crwlrjeff@yahoo.com> wrote:
>>>>>
>>>>> "james" <nospam@nospam.com> wrote in message
>>>>> news:u57jMvhBLHA.5808@TK2MSFTNGP02.phx.gbl...
>>>>>> Some sites with login should use https but is optional (I guess to
>>>>>> save
>>>>>> CPU time).
>>>>>>
>>>>>> Is there a way to automatically force IE8 into https whenever I'm on
>>>>>> that
>>>>>> site?
>>>>>>
>>>>>> I know firefox has an extension that does this, but since I use both
>>>>>> browsers, I need IE8 to do this as well.
>>>>>
>>>>>
>>>>> HTTPS is controlled by the server you are visiting, not the machine
>>>>> that
>>>>> you
>>>>> are using.
>>>>
>>>> This is of course incorrect. The use of HTTPS is determined by the URL,
>>>> hence by the user.
>>>>
>>>> When you want some extension that (for certain sites) allows a
>>>> https://sitename URL and not the http://sitename URL, you may be able
>>>> to avoind insecure connections to sites that offer both options.
>>>
>>>
>>> And, I couldn't help but notice that you ignored the OP and didn't even
>>> begin to address his concerns.
>>
>> I think you just don't understand what the OP is looking for.
>>
>> E.g. a way to remind him to use https instead of http with gmail,
>> where it is optional to use either one.
>
> He already KNOWS that. His question was to force IE8 to go to the HTTPS if
> there is one.

I have not seen that in the question. I have seen a question about
forcing https for a certain site. And the indication that it can be
done in Firefox.

> IE8 does not know that there is an HTTPS until the server it
> finds tells it there is one, OR he knows there is one and tells IE8 in the
> first place.

So there could be a list of servers (manually entered by the user) that
has to be visited in https, not http. Easy.

> The existance of a secure server is not the purview of the client, it's a
> feature of the server. The user _might_ know there is a secure server, but
> there's no way that the browser will know this.

Of course it will know it. The site is in the manually entered list.
Aside from that, there is also the optional "X-Force-TLS" header that
a website can send when it has a https variant available and wants to
suggest to the user that it can be used.

> I think it is you that don't know what the OP is asking, or what the answer
> is.

I don't agree.
 
R

Rob

Flightless Bird
Jeff Strickland <crwlrjeff@yahoo.com> wrote:
>
> "Rob" <nomail@example.com> wrote in message
> news:slrni0rom3.1qi.nomail@xs8.xs4all.nl...
>
>> You did not get it.
>>
>> When the server allows the choice between http and https, the URL
>> and thus the user determines what you get.
>> The user may want to avoid mistakenly using http instead of https.
>>
>> That is what the OP was asking about.
>
> The user wants his browser to go to the HTTPS site even if he inputs HTTP,
> but HTTPS is available. He wants the browser to poll the site for HTTPS, and
> go there if there is one, instead of the site he typed in.

He did not indicate that he wanted that. You have imagined that yourself.
 
J

Jeff Strickland

Flightless Bird
"Rob" <nomail@example.com> wrote in message
news:slrni14ofd.7ua.nomail@xs8.xs4all.nl...
> Jeff Strickland <crwlrjeff@yahoo.com> wrote:
>>
>> "Rob" <nomail@example.com> wrote in message
>> news:slrni0rom3.1qi.nomail@xs8.xs4all.nl...
>>
>>> You did not get it.
>>>
>>> When the server allows the choice between http and https, the URL
>>> and thus the user determines what you get.
>>> The user may want to avoid mistakenly using http instead of https.
>>>
>>> That is what the OP was asking about.
>>
>> The user wants his browser to go to the HTTPS site even if he inputs
>> HTTP,
>> but HTTPS is available. He wants the browser to poll the site for HTTPS,
>> and
>> go there if there is one, instead of the site he typed in.
>
> He did not indicate that he wanted that. You have imagined that yourself.


<quote>
Some sites with login should use https but is optional (I guess to save CPU
time).

Is there a way to automatically force IE8 into https whenever I'm on that
site?

I know firefox has an extension that does this, but since I use both
browsers, I need IE8 to do this as well.

</quote>

He goes to a site and wants IE8 to poll for the existance of a secure
server, and display the result if there is one.

I don't know that FireFox has what he asserts or not -- I used FireFox and
found it to be seriously flawed for my purposes so I stopped using it.

A login screen does not need to be secured, but the screens that follow may
or may not need to be secured, and this is a decision made by the server.
You can visit http//www.website.com and be presented a login that is not
secure. The result of logging in could then direct you to
https//www.website.com. You might want to input https ... and the server you
arrive at will see that you are not logged in and redirect you to the
original login page that is not secured.

An example might be your bank, or an online bookstore.

They want people to puruse the site and check the products, features and
benefits in an unsecure mode, then force a login to get to your accounts ot
complete a transaction. You could input the page where your accounts are or
where you would check out, but the server would not let you in because you
have not completed the login page, which it diverts you to. The act of
entering your name is not a secure event. Viewing secure pages without
logging in is an exercise in silliness because why would anybody to to the
expense of securing information that can be found without a login?

Getting to a secure site is more to protect the visitor's private
information than it is to protect the site. An HTTPS is encrypted, and there
is little need to encrypt a webpage, but there is great need to encrypt the
visitor's credit card number. Obviously, encrypted data can flow in both
directions, but this is going to be account data and other information like
it, not the presentation of the website itself. You don't care that the page
you are on is encrypted or not UNLESS you are putting your name and credit
card data into a text box and sending it over the wire.

I have no knowledge of Firefox's asserted ability to spin silk from wool, so
I can't speak to it. But when a site is secured, the server makes the
determination, and any attempt to open a secure page without first
completing the login is completely reasonable and logical. And the login is
not -- it could be but does not have to be -- a secure event, and whether or
not it is secure is a determination of the server not the visitor.

So, I stand by my original statement (and all that follow), and you have
added nothing useful to the discussion. Thanks for playing.
 
R

Rob

Flightless Bird
Jeff Strickland <crwlrjeff@yahoo.com> wrote:
> So, I stand by my original statement (and all that follow), and you have
> added nothing useful to the discussion. Thanks for playing.

Point after point you demonstrate that you have not understood the
matter. Sleep well.
 
J

Jeff Strickland

Flightless Bird
"Rob" <nomail@example.com> wrote in message
news:slrni14rsl.7ua.nomail@xs8.xs4all.nl...
> Jeff Strickland <crwlrjeff@yahoo.com> wrote:
>> So, I stand by my original statement (and all that follow), and you have
>> added nothing useful to the discussion. Thanks for playing.
>
> Point after point you demonstrate that you have not understood the
> matter. Sleep well.

So, explain it. The OP isn't getting it either.
 
R

Rob

Flightless Bird
Jeff Strickland <crwlrjeff@yahoo.com> wrote:
>
> "Rob" <nomail@example.com> wrote in message
> news:slrni14rsl.7ua.nomail@xs8.xs4all.nl...
>> Jeff Strickland <crwlrjeff@yahoo.com> wrote:
>>> So, I stand by my original statement (and all that follow), and you have
>>> added nothing useful to the discussion. Thanks for playing.
>>
>> Point after point you demonstrate that you have not understood the
>> matter. Sleep well.
>
> So, explain it. The OP isn't getting it either.

For starters you seem to think that https is only about encryption,
while in fact it also is about authentication.

And you again iterated the mistake that a logon screen does not need
to be encrypted even after I showed it should be.

And you keep saying there should be some automatic detection of https
capability, while this was never asked. The connection to the site
should be automatically in https, but the identification of the site
(e.g. in a list) can be manual.
 
J

Jeff Strickland

Flightless Bird
"Rob" <nomail@example.com> wrote in message
news:slrni14ue7.7ua.nomail@xs8.xs4all.nl...
> Jeff Strickland <crwlrjeff@yahoo.com> wrote:
>>
>> "Rob" <nomail@example.com> wrote in message
>> news:slrni14rsl.7ua.nomail@xs8.xs4all.nl...
>>> Jeff Strickland <crwlrjeff@yahoo.com> wrote:
>>>> So, I stand by my original statement (and all that follow), and you
>>>> have
>>>> added nothing useful to the discussion. Thanks for playing.
>>>
>>> Point after point you demonstrate that you have not understood the
>>> matter. Sleep well.
>>
>> So, explain it. The OP isn't getting it either.
>
> For starters you seem to think that https is only about encryption,
> while in fact it also is about authentication.
>
> And you again iterated the mistake that a logon screen does not need
> to be encrypted even after I showed it should be.
>
> And you keep saying there should be some automatic detection of https
> capability, while this was never asked. The connection to the site
> should be automatically in https, but the identification of the site
> (e.g. in a list) can be manual.



Of course it can be manual, but so what?

The fact that a site is secure or not is driven by the site, not the
browser. The OP asked if he can set his browser to go to a secure site even
though he inputs an address to an unsecure site.

The answer to that question is no.

Can he input a secure address and go to a secure site? Sure. Could the site
reject his input because he didn't log in first? Sure. Could the log-in page
be secured or unsecured? Sure. Could a secure site allow visitation without
a login first? Sure -- although I can't think of why a Webmaster of a secure
site would want such a thing to occur.

Any of the things you say can in theory be true, or in practice be true.

But the OP asked if his browser could be directed to AUTOMATICALLY go to the
secure servers of a page if there is a secure version of an address where he
input the address as HTTP and not HTTPS.
 
R

Rob

Flightless Bird
Jeff Strickland <crwlrjeff@yahoo.com> wrote:
> The fact that a site is secure or not is driven by the site, not the
> browser. The OP asked if he can set his browser to go to a secure site even
> though he inputs an address to an unsecure site.
>
> The answer to that question is no.

YOUR answer to that question is no. But it is not the correct answer.

> But the OP asked if his browser could be directed to AUTOMATICALLY go to the
> secure servers of a page if there is a secure version of an address where he
> input the address as HTTP and not HTTPS.

No, that was not the question. The question was this:

Some sites with login should use https but is optional (I guess to save CPU
time).

Is there a way to automatically force IE8 into https whenever I'm on that
site?

I know firefox has an extension that does this, but since I use both
browsers, I need IE8 to do this as well.



Read again. It does not say "automatically force IE8 into https whenever
I'm on sites like that".

It says: "whenever I'm on that site". Read again. That site.
That means it is not something that has to detect what the capabilities
of the site are. The OP already knows that the site can do https. The
name of the site is fixed. Can be on a list. No need to do any guessing.
 
J

Jeff Strickland

Flightless Bird
"Rob" <nomail@example.com> wrote in message
news:slrni152kg.dg6.nomail@xs8.xs4all.nl...
> Jeff Strickland <crwlrjeff@yahoo.com> wrote:
>> The fact that a site is secure or not is driven by the site, not the
>> browser. The OP asked if he can set his browser to go to a secure site
>> even
>> though he inputs an address to an unsecure site.
>>
>> The answer to that question is no.
>
> YOUR answer to that question is no. But it is not the correct answer.
>
>> But the OP asked if his browser could be directed to AUTOMATICALLY go to
>> the
>> secure servers of a page if there is a secure version of an address where
>> he
>> input the address as HTTP and not HTTPS.
>
> No, that was not the question. The question was this:
>
> Some sites with login should use https but is optional (I guess to save
> CPU
> time).
>
> Is there a way to automatically force IE8 into https whenever I'm on that
> site?
>
> I know firefox has an extension that does this, but since I use both
> browsers, I need IE8 to do this as well.
>
>
>
> Read again. It does not say "automatically force IE8 into https whenever
> I'm on sites like that".
>
> It says: "whenever I'm on that site". Read again. That site.
> That means it is not something that has to detect what the capabilities
> of the site are. The OP already knows that the site can do https. The
> name of the site is fixed. Can be on a list. No need to do any guessing.


Okay, he wants to visit a specific site and force IE8 to secure mode. The
answer is still, no because the login being secure or not is determined by
the server, so forcing IE8 into HTTPS on the _page_ of the site where the
login takes place is not possible because the server does not use a secure
page for the login.

Anybody can set a Favorite to https://www.website.com, but if website.com
isn't secure, it doesn't matter. And, if it is secure and requires a login,
but the login page isn't secure, then it still doesn't matter. So, the
answer to the question is still, no.

So whether he's asking about a specific site or several specific sites that
he wants to use, the fact that the site is HTTPS is dictated by the site and
any given page on the site may or may not be served up secure; which is what
HTTPS means. The server is driving the bus on the security, or the lack
thereof. Which, is all I said on the very first day.

For the Record
I wrote the user manual for a cryptographic accelerator card, so I'm not
completely unfamiliar with the demands of secure transactions. The
encryption protocols (handshake) are processor intensive, which is why my
company developed the accelerator card. Our card took the protcol process
away from the server and crunched the numbers to spit out the key, and did
it in the perverbial blink of an eye. We understood that the protocol was
processor intensive, and visitors might leave if they had to wait too long
for pages to turn or for transactions to process.
 
You must log in or register to reply here.
Top