On Fri, Aug 22, 2014 at 04:37:13PM -0500, Nico Williams wrote:
> > What this means is that a client given an http: URL in a reference is
> > always free to try out the HTTPS, just adding an S, and use result if the
> > is successful.
>
> It too late for that though: all too often the two resources are not the
> same.
>
> Though a server could advertise that they are the same, but the client
> would first have to try HTTPS to find out, increasing latency when the
> server doesn't (which would be the common case at first).
A deeper problem occurs when the HTTP URI includes a port:
http://example.com:8080/some/path
In that case, what would the https URI be? The approproach would
work at best for just for 80/443, and not anything else.
I am all too familiar (and annoyed) with https servers that deliver
content that is different from the "corresponding" http resource.
Often these are even software download links from major vendors,
that I would like to retrieve over an encrypted authenticated
channel, but can't.
--
Viktor.