Is redirecting http to https a bad idea?

Question

I\'m reading over this page and it says that if a site is SSL and the user tries to access it via regular http, the application should not redirect the user to https. It sho

Answer 1

I don't see any technical risk (except from the one in the update at the end of my answer) on redirecting from HTTP to HTTPS. For example, gmail and yahoo mail are doing it. You can check that by using a HTTP debugging tool (like Fiddler), where you can clearly the 302 redirect response returned by the server.

I believe that blocking is a bad idea from an usability perspective. Many times users are entering an address in the browser without specifing HTTP or HTTPS. For example, I access gmail by typing "mail.google.com", which defaults to "http://mail.google.com" and which is automatically redirected to "https://mail.google.com". Without the automatic redirect I will always have to type the full address.

I agree with the quoted article that HTTPS is the best method against MITM attacks, but I don't agree it is the best practice against phising. User education is indeed a key factor against phising attacks (the users have to check that they are accessing the site from the correct domain), but in no way you make that education by blocking HTTP redirect to HTTPS.

Update @Pedro and @Spolto are right. Special care must be taken related to sensitive cookies (like session or authentication cookies), which indeed should be marked as secure, so that they will only be transmitted over HTTPS. I've missed that one. +1 both you guys.