I noticed that Chrome doesn't seem to make an HTTP request to docs.google.com under some circumstances.
What I did, while capturing traffic using Wireshark:
Visit Google Docs, log in
Close Tab
Clear cache (Cache and hosted apps)
Visit http://docs.google.com/
I cannot find a single HTTP request to docs.google.com, all I see is SSL traffic.
I know that there are technologies like SPDY, Cache manifests and DNS CNAMEs that could interfere, but none comes to my mind that could really make the request disappear, especially after clearing the cache.
All requests to http://docs.google.com immediately redirect to https://docs.google.com/. This is hardcoded in Chrome and called HSTS.
Related
I have a website that uses HTTPS so it is secure by default.
I am aiming to send some HTTP requests from the website, but the problem is that modern versions of web browsers do not allow the use of HTTP requests inside of HTTPS sites.
So, what I am trying to do here is to make a portion of my website un-secure using HTTP instead of HTTPS, so that I can send the requests I want.
Is that possible?
If there are any other suggestions to send HTTP requests, please help me with it.
When I access to EC2 with http://XXX.XXX.XXX.XXX, the access was redirected to https://XXX.XXX.XXX.XXX.
Also, EC2 instance does not have certificate for HTTPS.
How do I stop the redirection.
By the way, I am using AMIMOTO of Wordpress.
I am looking forward to your reply.
There are 2 things to consider:
HTTPS redirect is done via server redirect, usually with HTTP status code 301. Depending on your server (nginx, apache etc) there are different ways to achieve that, but assuming it's apache, take a look at this to know what to look for
Once you are hit with redirect, modern browsers cache that 301 response for a long time. So even after you disable it you can still experience redirect. Here's example how to clear that in Chrome. This will obviously affect only your browser and if any customers hit the page, they will still be redirected for quite some time.
But best approach would undeniably be to set up and enable SSL.
In my /etc/hosts I have added an entry to point www.facebook.com to my local ip address.
Now even after deleting complete cache/browser history, why typing www.facebook.com calling https://www.facebook.com ?
This is due to HSTS.
As Troy Hunt explains:
This is Chrome saying “I’m not even going to issue that
request, instead I’m going to change it to HTTPS then try again” which
is what gives us the second request. This is key: Chrome has refused
to issue the first request over the insecure HTTP protocol.
Note the similarity to what you are describing - it automatically changed http to https.
HSTS protects against man in the middle attacks. You pointing facebook.com at localhost, is basically a man in the middle attack.
https://www.google.com/search?q=disable+hsts shows how to disable it if necessary. Or https://null-byte.wonderhowto.com/how-to/bypass-facebooks-hsts-0169414/ may work to bypass it.
I have one wordpress website, in that am getting lot of errors day by day. So I like to change my normal HTTP to HTTPS. So please can you explain it is very useful and secure for my website.
If your website does not have https in the web link this means that you do not have installed SSL. Most of the modern web browsers treat any website without SSL installed as insecure. This may be one of the reasons for your website's issues.
I found the following answers to the question of the difference between HTTP and HTTPS.
Difference between HTTP and HTTPS
To know about the reasons for using SSL follow the link given below:
Reasons for using SSL
10,000ft view...
http is an unencrypted protocol for sending and retrieving data from servers in a web browser (among other uses). https is the same protocol but wrapper in SSL, a security tool that encrypts communications between the browser and server. This is what what banks and other websites use to ensure your data (like financial info) is protected when sent to your browser and cannot be read by someone on the same network.
Checkout articles like this and google the topic for more info.
Hope this helps.
I have an IIS6 ASP.NET 2/3.5 site that ALWAYS seems to be caching anything that goes through a https request. HTTP requests always work the same, but i see old/invalid data on https requests.
I see this a lot with pages where i'm doing http rewriting--but in general, it almost seems like the site has one set of values it shows to http requests and another to https requests-- without having any backend code that renders differently based upon the scheme.
Any ideas? Does IIS have a weird ssl caching option i'm not aware of?
The ports were set up wrong in IIS-- although the domain was correct because i was using port 443 it got forwarded to another site (because of host headers setup).