Can we always remove WWW from a host name?
www
is a common prefix for websites. However, at a technical level it is just another subdomain, and there's nothing special about it. If a webserver accepts both or even more DNS names, it has to be configured that way. The server decides which configuration to use based on the DNS name in the HTTP request.
The certificate served for https://india.gov.in covers india.gov.in
. It does not cover www.india.gov.in
, nor does it cover any other subdomain (foo.india.gov.in
) or other domain (example.com
). This is the most basic form of TLS certificate, and a pretty common one.
The DNS records for india.gov.in
and www.india.gov.in
don't necessarily have to go to the same place; they could resolve different IP addresses and dfferenet DNS record types. This is commonly done for hosting various applications on a single base domain, e.g. having mail.india.gov.in
go to a webmail server.
A common way for companies to deal with this sort of issue is to buy a wildcard certificate (*.india.gov.in
) to cover all their subdomains. OWASP recommends against this because you have to secure every endpoint that needs the certificate (in our example above, an attacker breaching the webmail could extract the certificate and use it to man-in-the-middle a connection to the normal website, or vice versa). A better option is to use a SAN certificate that includes just india.gov.in
and www.india.gov.in
, then set up redirects for any page requested on one domain to the other.