[liberationtech] HTTPS links on wordpress blog post have S removed automatically, odd

[Seth David Schoen]

Frank Corrigan writes:

> I was setting up a 'secure' https contact page at:
> https://franciscorrigan.wordpress.com/2000/01/01/contactme/
> 
> But when I post a link on the above blog page, it is overwritten by
> wordpress.com to remove the S in HTTPS, this is odd.

As an HTTPS Everywhere developer, I can tell you that a lot of sites
do this for some of their URLs.  Sometimes their practices even change
from day to day.  (For example, we had one popular site that worked in
HTTPS last week, but on Monday silently started redirecting all HTTPS
URLs to their HTTP equivalents.)  The "disappearing s" is the result
of the web server sending an HTTP redirect code to the browser, which
the browser then obeys.

The basic reason for these redirections is that site administrators
have a notion of which parts of their site "can" or "should" be
accessed securely.  (For example, some administrators think that
HTTPS is appropriate for login pages and not other pages.)  That
notion can change, or can get articulated more explicitly, and can
start getting enforced by redirects.  There is no general workaround
for the redirects: if a site is configured to refuse to serve you a
page securely, there's no way to force it to do so.

A few site operators simply didn't realize that users were accessing
their sites over HTTPS (!) and are somewhat surprised to get support
requests about it.

-- 
Seth Schoen
Senior Staff Technologist                         schoen at eff.org
Electronic Frontier Foundation                    https://www.eff.org/
454 Shotwell Street, San Francisco, CA  94110     +1 415 436 9333 x107