On Fri, Aug 22, 2014 at 04:37:13PM -0500, Nico Williams wrote:
What this means is that a client given an http: URL in a reference is
always free to try out the HTTPS, just adding an S, and use result if the
is successful.
It too late for that though: all too often the two resources are not the
same.
Though a server could advertise that they are the same, but the client
would first have to try HTTPS to find out, increasing latency when the
server doesn't (which would be the common case at first).
A deeper problem occurs when the HTTP URI includes a port:
http://example.com:8080/some/path
In that case, what would the https URI be? The approproach would
work at best for just for 80/443, and not anything else.
I am all too familiar (and annoyed) with https servers that deliver
content that is different from the "corresponding" http resource.
Often these are even software download links from major vendors,
that I would like to retrieve over an encrypted authenticated
channel, but can't.
--
Viktor.