Why doesn't www.bing.com redirect from HTTP to HTTPS?
On occasion, I’ve noticed the following HTTP referer when going through my server logs: http://www.bing.com/search?q=your+search&go=Search
(notice the HTTP part).
I thought it would be interesting to see if this HTTP referer was sent from Microsoft’s search engine as a result of someone performing a search over an unencrypted HTTP connection.
But it says HTTPS in my browser
When you visit http://www.bing.com
using a browser that implements modern security standards like Firefox, Chromium, or Safari, you’ll never even establish an initial insecure connection over HTTP. The reason for this is because those browsers already include a hardcoded list of domains that can only be accessed over an encrypted HTTPS connection. Bing.com is unsurprisingly one of the domains included in the HTTP Strict Transport Security (HSTS) preload list maintained by Google.
Bing.com HSTS policy
The following HSTS response header gets served by https://www.bing.com/
strict-transport-security: max-age=31536000; includeSubDomains; preloadThis policy instructs web browsers to only access bing.com (including subdomains) over HTTPS. However, it’s worth noting that browsers will only accept an HSTS policy when delivered over HTTPS. Consequently, websites need to provide an automatic redirection from HTTP to HTTPS.
Bing - Meet Gnome Web
Gnome Web (Epiphany) is the web browser for the GNOME desktop. This browser does not embed the HSTS preload list. In fact, the browser doesn’t implement support for HSTS at all. Please enjoy an animated GIF of Gnome Web’s interaction with http://www.bing.com/
I can’t tell if Microsoft is expecting every browser on every platform to implement and use Google’s HSTS preload list, or what’s going on here. I do find it hard to believe that Microsoft couldn’t get HTTP to HTTPS redirection right if they were trying.