HTTPS Everywhere and problems accessing www.inf.ed.ac.uk

We’ve recently been getting an increased number of support tickets about problems accessing Student Services pages. The common thread in most of these tickets is that the person involved is incorrectly trying to do so using an HTTPS URL.

In the case of the Student Services pages, HTTPS is used to authenticate you, and then only allows people with the appropriate authorisation to proceed (as the page authoring system kicks in). If the page is a publicly visible page, then viewing it via HTTP works just fine. For example, for students the first link below should work fine (making sure your browser shows an HTTP URL), but the second should give you an access denied (unless you do have access permission).

It appears that the reason some people are using HTTPS, is because of browser plugins like the EFF HTTPS-everywhere. Unfortunately it ships with a configuration that assumes all HTTP www.inf.ed.ac.uk URLs are also accessible via HTTPS (which they are not).

We have submitted a patch to the EFF to remove this incorrect assumption, but until that is accepted and published, users of this plugin (or similar) should use whatever configuration it comes with, to exempt www.inf.ed.ac.uk from being forcibly redirected to HTTPS.

I hope that helps explain some of the confusion/problems people have been having.

Neil

PS Obviously we’d like to be in a state where HTTPS does work for all Informatics sites, but that transition will be gradual and lengthy.

PPS I’d also be interested to hear about any similar plugins that people are using that do the same thing as the EFF plugin.

About neilb

Computing staff at the University of Edinburgh. Part of the Services Unit.
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply