AnsweredAssumed Answered

Attempts to force HTTP over HTTPS

Question asked by Gerald Combs on Dec 19, 2013
Latest reply on Dec 20, 2013 by Ivan Ristić

I recently spun up an HTTPS-only server and noticed a steady stream of "400" errors resulting from attempts to connect via plain, unencrypted HTTP. It appears that a proxy somewhere is trying to force unencrypted traffic by rewriting URLs of the form

 

https://download.example.com/a.file.exe

 

to

 

http://download.example.com:443/a.file.exe

 

Is it common for web servers to be misconfigured such that they allow plain HTTP requests when they shouldn't? Does the SSL Server Test check for this?

Outcomes