Ask Question Asked 9 years, 9 months ago Active 2 years, 9 months ago Viewed 29k times

62 23 I'm reading over this page and it says that if a site is SSL and the user tries to access it via regular http, the application should not redirect the user to https. It should just block him. Can someone verify the validity of this? It doesn't sound like a good idea, and I wonder what the real risk is of just forwarding the user to https. It seems that there is no technical reasons behind it, just that it's a good way to educate the user. Disable HTTP access to the domain, don’t even redirect or link it to SSL. Just inform the users this website is not accessible over HTTP and they have to access it over SSL. This is the best practice against MITM and phising attacks. This way your users will be educated that application never accessible over HTTP and when they come across to a phising or MITM attack they will know something is wrong. One of the best ways to protect your application against MITM attacks and phising attacks is educating your users. security ssl https share improve this question follow edited Aug 18 '13 at 1:23 Brad Koch 15.1k1717 gold badges9494 silver badges124124 bronze badges asked Dec 6 '10 at 10:12 sami 6,26588 gold badges2525 silver badges3737 bronze badges Ironically this site works over HTTP. – Eduardo M Jul 28 at 21:20 add a comment 6 Answers Active Oldest Votes 44 An HTTP request that includes a session ID cookie is subject to session hijacking attacks. It is important that if you do allow HTTP and redirect to HTTPS, that cookies are marked as secure. I can't see any technical reason why HTTP needs to be completely blocked either, and many sites do forward HTTP to HTTPS. When doing this it is highly advisable to implement HTTP Strict Transport Security (HSTS) which is a web security mechanism which declares that browsers are to only use HTTPS connections. HSTS is implemented by specifying a response header such as Strict-Transport-Security: max-age=31536000. Complying user agents will automatically turn insecure links into secure links, thereby reducing the risk of man-in-the-middle attacks. Additionally, if there is a risk that the certificate isn't secure, e.g. the root authority isn't recognised, then an error message is displayed and the response is not shown. share improve this answer follow edited Jul 11 '13 at 14:56 answered Dec 6 '10 at 10:36 cspolton 4,29533 gold badges2424 silver badges3434 bronze badges 7 +1. Session cookies that persist across the redirect are to be considered can be considered compromised. Usually, sites invalidate the original cookie, and create a new one to be used for HTTPS traffic (the good sites enable the secure cookie flag as well). – Vineet Reynolds Dec 6 '10 at 10:51 4 If you are offering a "secure" service use always the "Secure" flag at your session cookies! – Pedro Laguna Dec 6 '10 at 11:49 Vineet - ideally sites invalidate the original cookie, however this is still not nearly common enough, even in banking applications! – Rory Alsop Dec 6 '10 at 23:27 2 While you may not need to block HTTP completely with recent protocol enhancements like HTTP Strict Transport Security, forwarding HTTP to HTTPS is not safe because of SSL stripping attacks like Moxie Marlinspikes sslstrip. It's not even save to have HTTPS links on an HTTP page for the same reason. thoughtcrime.org/software/sslstrip – Zach Burlingame Sep 9 '11 at 2:35 CORS makes you need https – alemac852 May 13 '17 at 6:13 add a comment 25 Going from HTTP to HTTPS is actually a not-so-good idea. For example, an attacker could do a man-in-the-middle attack using a tool like ssl strip. To address this problem, you should use the HSTS protocol. It's supported by all major browsers (Internet Explorer, which is the latest adopter, is supporting it starting from IE12), and in use by many of the top sites (e.g., Paypal, Google). share improve this answer follow edited Jun 26 '14 at 1:55 answered Jun 29 '11 at 22:45 Luca Invernizzi 5,80933 gold badges2525 silver badges2626 bronze badges 7 Absolutely spot-on with the reference to sslstrip. If the client initiates the connection over HTTP to the server, the MITM can hijack the session, keeping the connection between the client and the attacker in plaintext, even if the attacker follows the HTTPS redirect on it's connection to the server. The server thinks the client is connected via HTTPS and the client thinks the site operates on HTTP. – Zach Burlingame Sep 9 '11 at 2:31 7 But wouldn't the same MITM attack work equally well on a site that simply refuses HTTP? HSTS only helps after at least one clean connection (whether HTTPS or an HTTP that wasn't attacked). – Beni Cherniavsky-Paskin Jan 24 '14 at 3:28 4 That's correct. That's why some browsers are distributed with a preloaded list of domains that should be contacted via HSTS (dev.chromium.org/sts). This mitigates the attack you describe. – Luca Invernizzi Jan 27 '14 at 23:05 1 Regarding "all major browsers", IE hasn't supported it, though they say they will in IE 12: eff.org/deeplinks/2014/02/websites-hsts – weotch Jun 25 '14 at 22:28 It is a fundamental violation of best practices to mix non-secure and secure pathways in any case. In fact, it is considered a major security breach in military communications systems. It is not the task of the implementer to second guess these things; that is exactly how so-called secure systems get breached in the first place. Changing protocols is likewise not a good idea, in my estimation. This is not something that ought to be up for debate. Secure systems are supposed to be difficult for authorized users to use. – jinzai Sep 15 '16 at 14:58 show 1 more comment 6 I don't see any technical risk (except from the one in the update at the end of my answer) on redirecting from HTTP to HTTPS. For example, gmail and yahoo mail are doing it. You can check that by using a HTTP debugging tool (like Fiddler), where you can clearly the 302 redirect response returned by the server. I believe that blocking is a bad idea from an usability perspective. Many times users are entering an address in the browser without specifing HTTP or HTTPS. For example, I access gmail by typing "mail.google.com", which defaults to "http://mail.google.com" and which is automatically redirected to "https://mail.google.com". Without the automatic redirect I will always have to type the full address. I agree with the quoted article that HTTPS is the best method against MITM attacks, but I don't agree it is the best practice against phising. User education is indeed a key factor against phising attacks (the users have to check that they are accessing the site from the correct domain), but in no way you make that education by blocking HTTP redirect to HTTPS. Update @Pedro and @Spolto are right. Special care must be taken related to sensitive cookies (like session or authentication cookies), which indeed should be marked as secure, so that they will only be transmitted over HTTPS. I've missed that one. +1 both you guys. share improve this answer follow edited Dec 6 '10 at 12:49 answered Dec 6 '10 at 10:20 Florin Dumitrescu 7,64833 gold badges3030 silver badges2929 bronze badges 2 The redirection not should be done at if the application is not using cookies with the secure flag activated an attacker can capture the cookie in the insecure request. – Pedro Laguna Dec 6 '10 at 11:51 add a comment 4 I've only just noticed this question, but I've written a couple of answers to similar questions: Webmasters.SE: How to prevent access to website without SSL connection? Force HTTPS for specific URL I don't think redirecting from HTTP to HTTPS is necessarily harmful, but this should be done carfully. What's important is that you shouldn't rely on these automatic redirections to be present during the development phase. They should at most be used for users who type the address in the browser by themselves. It's also solely the responsibility of the user to check than they're using HTTPS (and that the certificate is verified without warning) when they expect it. The actual risks of switching from HTTP to HTTPS is that you can reliably trust what was done before the switch, if you choose to keep the session. The flow and process of your website should take this into account. For example, if your users browses your shopping site and adds various items into the cart using HTTP and you plan to use HTTPS to get the payment details, you should also make the user confirm the content of their basket using HTTPS. In addition, when switching from HTTP to HTTPS, you may have to re-authenticate the user and to discard the plain HTTP session identifier, if any. Otherwise, an attacker might be able to use that cookie to move to that HTTPS section of the site too and potentially impersonate the legitimate user. share improve this answer follow