"Downgrades HTTPS" result inconsistent for economist.com

[garrettr]

Secure the News' score for economist.com just changed from a D to a C, indicating that HTTPS is available (that is, the site does not downgrades HTTPS to HTTP). Unfortunately, a quick visit to https://www.economist.com shows that the site is actually still downgrading HTTPS.

Even stranger, it appears that pshtt's output is inconsistent in this regard. Here's the output of three calls to pshtt run in short succession (within a 10-second span or so):

$ pshtt --json economist.com | grep Downgrades
Unexpected other requests exception.
Unexpected SSL protocol (or other) error during retry.
    "Downgrades HTTPS": true, 
$ pshtt --json economist.com | grep Downgrades
Unexpected SSL protocol (or other) error during retry.
    "Downgrades HTTPS": true, 
$ pshtt --json economist.com | grep Downgrades
Unexpected SSL protocol (or other) error during retry.
    "Downgrades HTTPS": false, 

I ran curl a couple of times in quick succession and it appears they might be doing something strange on their server. I mostly got 302 redirects to http, but I got a 200 as well:

$ curl -I https://www.economist.com
HTTP/2.0 302
age:4723
cache-control:max-age = 10800
content-length:0
content-type:text/html; charset=utf-8
date:Fri, 10 Feb 2017 18:48:38 GMT
expires:Sun, 11 Mar 1984 12:00:00 GMT
grace:none
last-modified:Fri, 10 Feb 2017 17:29:55 GMT
location:http://www.economist.com/
server:Economist Web Server
set-cookie:ec_device=false; expires=Sat, 11-Feb-2017 17:29:55 GMT; Max-Age=86400; path=/
set-cookie:rvjourney=a/30.00/a;Domain=.economist.com;Path=/
set-cookie:rvuuid=744b0bd84e575276324fa01093461e0b;Domain=.economist.com;Path=/;Max-Age=2147483647
vary:Cookie
x-cache-hits:29
x-varnish-cache:HIT
set-cookie:visid_incap_121505=HXAyBFaLQWKFm/nqsoBqAgYLnlgAAAAAQUIPAAAAAADwlOfSlUu0EI8GgwL+4Upy; expires=Sat, 10 Feb 2018 10:25:11 GMT; path=/; Domain=.economist.com
set-cookie:nlbi_121505=3yScb414szOLXcfyE5bw2QAAAADAhkTqK1/KRpaaZa4daL8M; path=/; Domain=.economist.com
set-cookie:incap_ses_569_121505=1qhbLsp9ryhozCqHk37lBwYLnlgAAAAAKqVXtKjW07UOcH/BjLdXAw==; path=/; Domain=.economist.com
x-iinfo:10-7083031-7083032 NNNN CT(70 71 0) RT(1486752518432 0) q(0 0 1 -1) r(2 2) U5
x-cdn:Incapsula

$ curl -I https://www.economist.com
HTTP/2.0 200
accept-ranges:bytes
cache-control:max-age = 60
content-encoding:gzip
content-type:text/html; charset=utf-8
date:Fri, 10 Feb 2017 18:48:40 GMT
grace:none
server:Economist Web Server
set-cookie:rvjourney=b/30.00/b;Domain=.economist.com;Path=/
set-cookie:rvuuid=532470bb8ad6db7abc2a970f239b658c;Domain=.economist.com;Path=/;Max-Age=2147483647
vary:accept-encoding
x-cache-hits:30
x-varnish-cache:HIT
set-cookie:visid_incap_121505=TiXLmJnHTUqM19wvN4y1iQgLnlgAAAAAQUIPAAAAAAC/iMw5/f8vr6M44vbQ55YR; expires=Sat, 10 Feb 2018 10:25:11 GMT; path=/; Domain=.economist.com
set-cookie:nlbi_121505=n9eibqePrSd2yIr5E5bw2QAAAACCRx6DVVu8jtBnp1CZbxla; path=/; Domain=.economist.com
set-cookie:incap_ses_569_121505=ME2eQncy5G5lziqHk37lBwgLnlgAAAAAmcBvinRCjhfzcwH/XTQzAA==; path=/; Domain=.economist.com
x-iinfo:3-4725038-4725039 NNNN CT(70 70 0) RT(1486752520224 0) q(0 0 1 -1) r(3 3) U5
x-cdn:Incapsula

I'm not sure if there's anything pshtt can do about this: pshtt's results are inconsistent because the Economist's server responses are inconsistent. Maybe they're A/B testing their HTTPS rollout? :stuck_out_tongue_closed_eyes:

I decided to file the issue anyway because the various Unexpected errors might deserve a closer look as well.

[garrettr]

Maybe they're A/B testing their HTTPS rollout?

After reloading https://www.economist.com in my browser a couple more times, it does indeed appear that they are A/B testing their HTTPS rollout! :tada:

[konklone]

Closing, since it was an A/B test and inconsistent server behavior. :+1: