neverssl.com serves content on port 443

[jamespic]

neverssl.com is serving https traffic on port 443. The certificate on https://neverssl.com is not valid for that domain (it looks to be a wildcard for *.cloudfront.net), but otherwise the content is the same as http://neverssl.com

[njh]

Could it/should it redirect to port 80?
Or better if it refused the connection? (I don't think CloudFront allows disabling port 443).

Getting a valid certificate setup on CloudFront isn't too much effort - and Amazon Certificate Manger is free.

[unitof]

This may be by design—if it gets a valid HTTPS certificate some more security-aggressive browsers might auto-upgrade the connection to HTTPS.

[danielrparks]

Firefox in HTTPS-only mode will automatically go to the HTTPS version of the site, even though the certificate is not valid. This makes it impossible to use without disabling HTTPS-only mode, which may not be allowed by the administrator of a work computer.