CNN.com quietly turned on TLS/HTTPS over the weekend
I just noticed this. HTTP 301s to HTTPS. I say "quietly" because I can't find any official announcement. Shit, they were my go-to page for signing into hotel WiFi. Where can I go to now? http://example.com is my go-to. http://neverhttps.com is my go-to. Looks like there are plenty of other good suggestions as well :) sorry for the stupid question, but how is https a bad thing? and what does this have to do with hotel WiFi? Most hotel wifi networks require opening a browser to connect. Once you open it, the first page you go to is redirected. Because a lot of sites default to HTTPS, that redirect is detected as a MITM by the browser, and prevents you from moving on. http://neverssl.com/ is an easy way to get to the portal without an issue. As noted on NeverSSL: > [...] it [...] means that if you're relying on poorly-behaved wifi networks, it can be hard to get online. Secure browsers and websites using https make it impossible for those wifi networks to send you to a login or payment page. Basically, those networks can't tap into your connection just like attackers can't. Modern browsers are so good that they can remember when a website supports encryption and even if you type in the website name, they'll use https. NeverSSL.com is my goto All the other replies to your comment are "this is a permanent solution to the problem"; but I think to truly answer the spirit of your question, the correct answer is "yahoo.com": I mean... can you imagine Yahoo! ever getting around to adding SSL to their website? ;P I just tried http://yahoo.com and it gave me a 301 redirect to https://www.yahoo.com. (Same with http://www.yahoo.com). I use ipchicken.com, works over http for public wifi signins, and has added benefit of showing me whether I’m connected to wifi/4g/vpn via IP’s reverse DNS. Redirects are fine as long as they aren't HSTS preloaded - you can open it in an incognito window if your browser has cached the redirect. I usually use gstatic.com, which does redirect, but also gstatic.com/generate_204 is Chrome's own capive portal test page and does not redirect. There's also msftncsi.com, which (/ncsi.txt) is Microsoft's test page. I enjoy using http://www.stealmylogin.com as it seems apt (and works) Captive.apple.com or msftconnecttest.net/redirect www.neverssl.com asd.com is quick to type, and short Is this a big deal? Pretty sure they did this because of SEO reasons Safari just joined the party in displaying a warning if the connection is not using TLS/HTTPS just like other browsers do. CNN.com used to be my go to website for logging into splash pages that were blocked on HTTPS websites. Now I have to find a new one! I've been using neverssl.com example.com should be safe. They didn't move everything to HTTPs. There are still subdomains that are still HTTP, such as collection., money., go.cnn.com Searching for an announcement, I found an ironic result: http://money.cnn.com/2016/09/08/technology/google-chrome-fla... And, despite money.cnn.com being one of the Subject Alt Names on their certificate (as well as plenty of app, api and some staging domain names), that domain in particular rejects connections to port 443. Maybe their transition is incomplete and they're not ready to announce yet? I wonder if they'll ever turn comments back on, too? The internet, especially news, is a better place without it. Says a guy commenting on the internet? I think most would agree - but come on, let's not go overboard. CNN has just as much a right to exist on the internet as anyone else. it = comments ... ;) I was seeing this a couple weeks ago I've been seeing it for six months almost. Maybe https-everywhere was doing this but I also used to use CNN as a hotel WiFi sign-in gate so I noticed it back then. Funny how many people independently ended up in that same situation. How did y'all start? Strange, given the numerous anti-cryptography articles they've published...