httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Kew <n...@webthing.com>
Subject Re: [users@httpd] How to serve https only? Is this correct?
Date Thu, 12 Jul 2012 16:20:40 GMT
On Thu, 12 Jul 2012 11:32:01 -0400
Mark Montague <mark@catseye.org> wrote:

> On July 12, 2012 11:03 , Tom Browder <tom.browder@gmail.com> wrote:
> > I like the "friendly" approach, but I made the statement. "I want to 
> > have NO http traffic on my site," because I saw in a post from a 
> > Mozilla Persona site a reference to another link that there is a 
> > possibility of a man-in-the-middle attack using it.
> 
> It is trivial to do a man-in-the-middle attack against HTTP.
> 
> HTTPS makes it harder to do man-in-the-middle (MITM) attacks, but MITM 
> attacks are still possible against HTTPS.

Up to a point, Lord Copper.

> 1. An HTTPS proxy.

Browser will warn you in no uncertain terms.  You'd need a bit of
social engineering: get a certificate for the domain whose traffic
you're snooping on, or a domain name that pretends to be something
it's not and tricks the user.

Of course the latter is facilitated by "Verified by Visa" not merely
encouraging but REQUIRING users to send secure data to an undisclosed
third party: precisely the behaviour a fraudster needs to trick
them into.

> If I were in your situation, I would prefer the solution you originally 
> posted (redirecting all HTTP requests to HTTPS) over disabling HTTPS 
> entirely because it's more user-friendly.

And if I were a man-in-the-middle, I could trivially redirect them
to my evil proxy, thus capturing the session.

  If an attacker used a MITM 
> attack against the HTTP traffic, the only thing going through your 
> server is the redirect itself.  An attacker could choose to do more 
> things than your server allows -- for example, they could proxy all HTTP 
> requests to the HTTPS virtual host on your server, thus making your 
> entire site available through them via HTTP -- but note that disabling 
> HTTP on your server will do nothing to prevent this

It'll prevent a trivial redirect as above!

>	 while making your 
> site harder to access for users who don't know to type "https://" in 
> their browser location bars as a part of all URLs for your site.

Why will it be harder?  If there's no "http://" URL, noone will link
to it or bookmark it in the first place.  All links to you (including
google et al) will go directly to the secure URL.


-- 
Nick Kew

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message