undefined | Better HN

0 pointsnotatoad3y ago0 comments

that appears to also be what neverssl is doing - they support https only for the purposes of redirecting to a non-ssl domain

0 comments

p1mrx3y ago

Nope, when I go to neverssl.com, it ultimately lands on an HTTPS url, e.g. https://shinyquietbrightsong.neverssl.com/online/

Edit: I'm running Chrome OS 113 beta. Maybe they changed something recently, to automatically use HTTPS unless prohibited by the server? This also happens in Guest mode with no extensions.

0xffff23y ago

Do you have HTTPS Everywhere or a similar plugin installed? If you look at the page source, it's "redirecting" in a script with this line:

    window.location.href = 'http://' + prefix + '.neverssl.com/online'

I get a plain http page on Firefox/Ubuntu.

marcosdumay3y ago

It is your browser doing that redirect, not the side.

The http://neverssl.com ends up on an http page, and so does https://neverssl.com. But that final page (the one you posted) does not itself redirect from https to http.

0xffff23y ago

neverssl seems to be doing some weird thing where it uses Javascript to load a non-https link rather than an actual redirect. I can't for the life of me guess why that would be better than a simple 301 redirect.

re3y ago

https://news.ycombinator.com/item?id=35792149

The primary goal of NeverSSL is to be useful on networks with captive portals that intercept HTTP and block HTTPS (until you have signed in). The JavaScript redirect is at least browser cacheable, whereas a 301 redirect sent via HTTPS would be useless in that scenario as it would fail to load.

shawnz3y ago

Isn't a 301 response cacheable?

re3y ago

Yes, sorry: the other piece is that NeverSSL wants to redirect to a new domain every time you visit to ensure that the page that you was actually loaded from the network and not from a cache, which a cached 301 to a fixed address wouldn't accomplish.

https://twitter.com/NeverSSL/status/1136488879106666496

mh-3y ago

Depends on the cache control headers, but yes.

j / k navigate · click thread line to collapse

0 comments

p1mrx3y ago

Nope, when I go to neverssl.com, it ultimately lands on an HTTPS url, e.g. https://shinyquietbrightsong.neverssl.com/online/

Edit: I'm running Chrome OS 113 beta. Maybe they changed something recently, to automatically use HTTPS unless prohibited by the server? This also happens in Guest mode with no extensions.

0xffff23y ago

Do you have HTTPS Everywhere or a similar plugin installed? If you look at the page source, it's "redirecting" in a script with this line:

    window.location.href = 'http://' + prefix + '.neverssl.com/online'

I get a plain http page on Firefox/Ubuntu.

marcosdumay3y ago

It is your browser doing that redirect, not the side.

The http://neverssl.com ends up on an http page, and so does https://neverssl.com. But that final page (the one you posted) does not itself redirect from https to http.

0xffff23y ago

re3y ago

https://news.ycombinator.com/item?id=35792149

shawnz3y ago

Isn't a 301 response cacheable?

re3y ago

https://twitter.com/NeverSSL/status/1136488879106666496

mh-3y ago

Depends on the cache control headers, but yes.

j / k navigate · click thread line to collapse