Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

We have a webapp that is build to use SSL for certain (but not all) types of req

ID: 658757 • Letter: W

Question

We have a webapp that is build to use SSL for certain (but not all) types of requests. The webapp is using multiple subdomains, the number can change. This combination of features makes that the webapp requires a wildcard SSL certificate.

The webapp is used by some people, but not by a whole lot of them. We would like to keep the webapp running for those who use it, but has been determined that, at this point in time, it is not economically justifiable to pay for the wildcard certificate.

Since the webapp has no build-in method to drop the SSL-requirement (or more precisely, the webapp expects 'SSL-traffic' to be comming in through a separate vhost listening to the same subdomain), I thought that the easiest solution would be to just disable the SSL and keep (unecrypted) traffic running over port 443.

My big question is:
is it a bad idea to run non-SSL traffic over port 443 (and why)?

Explanation / Answer

That doesn't sound terribly easy to me. Clients (and I assume we're talking about browsers here) expect http traffic to be served over port 80, and https traffic over 443. In order to change this to http over 443, that's going to require that you change your URL scheme to http, and then explicitly specify the port on each URL.

So, for an https URL like this: https://example.com/some-resource you will have to change it to: http://example.com:443/some-resource.

It seems to me that if you want to remove the SSL requirement, it would be easier to leave http running on port 80 so the only change you have to make to your URLs would be to remove the s from the scheme.

If you're wondering if you can serve http traffic directly to a client that is making an https request, allowing you to leave the URL the same, no, that should not work. The client is going to try to initiate a TLS handshake and when it doesn't get a TLS response, the connection will fail.

Related Questions

We have a huge C, and C++ code base. There is a plan to add a new feature into t
Question #654980
We have a java server and a android client, we can only message one at a time. W
Question #3871811
We have a job table that triggers a notification when a new job gets inserted. C
Question #644469
We have a large population with the mean age of 32 years old. The standard devia
Question #3023937
We have a large region of space that has a uniform electric field in the + x dir
Question #1319000
We have a large region of space that has a uniform electric field in the +x dire
Question #1423120
We have a long-standing ActiveSync device policy that requires an unlock code fo
Question #662010
We have a lot of processes which send e-mails to our whole team on completion. T
Question #657717
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
We have a web application which contains a web service with over 50 methods. The
Next
We have a weighted directed graph with the following n = 3k vertices: V = {a1, .

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.