maxpolk maxpolk -4 years ago 208
HTTP Question

Are http and https resources equivalent?

Are HTTP and https resources equivalent? That is, does

http://example.com/ABC
refer to the same resource as
https://example.com/ABC
?

Evidence for: (1) Cookies with matching domain and path without "secure" attribute are set and returned independent of protocol. (2) HTTP strict transport security bounces you from HTTP to HTTPS with an implicit assumption the resource is the same.

Evidence against: (1) Same origin policy treats a different protocol as a different origin. (2) HTTP RFC shows HTTP, and https comparison is unequal. (3) Resources for other protocols like FTP aren't equivalent to HTTP resources for the same domain (e.g., FTP server root dir different), so what magic does https have over FTP in resource equivalence to HTTP?

Answer Source

I am going to say - Yes - they are the same resources.

The protocol only depicts the transportation layer.

To me

http://example.com/ABC

reads like following:

At example.com a commercial domain I have a resource called ABC.

I read the same for the following irrespective of protocol.

https://example.com/ABC

However web servers can be configured to represent and entirely different contents at the same ABC resource path based on https but in my mind they should not do so.

However the only caveat is if anyone wants to return some sort of warning for using plain HTTP we now have a different meaning but it should return 500 or some error condition for doing so.

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download