Chrome testing HTTPS redirect when certificate hostname is invalid
A recent thread on twitter recently highlighted a field test flag in the chromium project that attempts to handle HTTPS errors on base domains.
Essentially if you visit https://securedomain.com and the certificate is only for https://www.securedomain.com Chrome will detect this and automatically redirect the user to the www domain without showing an error.
In his example visiting https://onlineservices.nsdl.com resulted in Chrome redirecting him to https://www.onlineservices.nsdl.com because the non-www did not have a valid certificate. The redirect only happens when a valid certificate is found on www
You can see in this tweet it is Chrome itself doing the redirect
The behaviour was confirmed by Adrienne Porter Felt who works on the Chrome usability team.
This could be useful for end-users frustrated with HTTPS errors due to poor server configuration. However it could present lax administrators who do a quick test in Chrome with the false sense that a certificate is correctly configured. IE, Edge and Firefox may not implement this feature which could result in a much different user experience.
It seems the flag SSLCommonNameMismatchHandling is currently only in the Chrome Canary pre-release browser at present.
All certificates purchased from Servertastic with the www preface on the base domain also secure the base domain at no extra cost.
