What stops someone from just redirecting a HTTPS connection to a HTTP version of the site?

The decision on whether to use HTTP or HTTPS is the client's.

If the user goes directly to http://example.com, an attacker could simply hijack that connection and perform a man-in-the-middle attack. If the user goes directly to https://example.com, then the attacker must spoof the SSL/TLS connection somehow; doing so without showing the user an invalid certificate warning requires the attacker to have access to a Certificate Authority's private key. This situation should never happen. Without this, the user's browser would reject the connection, not allowing the attacker to redirect.

In the case of Google and a number of other websites, they set the HTTP Strict Transport Security (HSTS) header, which causes the user's browser to cache a rule saying that they should never ever visit the site via plaintext HTTP, even if the user asks for it or Google itself redirects to a HTTP URL. The browser will automatically re-write the URL to HTTPS, or block the request entirely. This also prevents the user from clicking through a certificate warning in most browsers; the option simply isn't there.


No, the DNS lookup does not tell the client if it should connect via HTTP or HTTPS. The browser decides that - if you enter an HTTP URL it will request without TLS on port 80, and if you enter an HTTPS one it will request with TLS on port 443. So it is the client, and not the server, that decides.

If the server gets a request over a protocol it does not prefer it can issue a redirect by responding with a 300 status code and a location header. However, if the original request is over HTTPS the man in the middle would need a valid certificate to be able to send that response. And if he had that, there would be no need to redirect to HTTP in the first place.


First of all I think the biggest thing that OP missed is that SSL/TLS negotiation happens first. Only AFTER safe connection is negotiated and validated, there can be any HTTP communication. HTTPS is a big misnomer, it's just your plain old HTTP only sent over completely independent SSL/TLS.

If the real site has an SSL/TLS certificate, would that stop the hacker from redirecting let's say google.com to their own server?

Certificates are checked and TLS is established before any HTTP takes place. With wrong cert, the connection will never be established in the first place. No room for redirects.

Doesn't the web server determine whether to connect via HTTP or HTTPS?

No, the client does. By either opening socket and sending HTTP request in plain text, or by opening socket, performing full SSL/TLS negotiation and then sending HTTP request.

And DNS lookup is done before they connect to the server.

Yes, but the client checks the certificate against the DNS name. So I can DNS spoof you into coming to me instead of Google, but I'll still need a certificate issued to google.com

Couldn't they just tell the client to connect via HTTP instead of HTTPS?

No. They never get a chance to do this.