httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Montague <m...@catseye.org>
Subject Re: [users@httpd] How to serve https only? Is this correct?
Date Thu, 12 Jul 2012 15:32:01 GMT
On July 12, 2012 11:03 , Tom Browder <tom.browder@gmail.com> wrote:
> I like the "friendly" approach, but I made the statement. "I want to 
> have NO http traffic on my site," because I saw in a post from a 
> Mozilla Persona site a reference to another link that there is a 
> possibility of a man-in-the-middle attack using it.

It is trivial to do a man-in-the-middle attack against HTTP.

HTTPS makes it harder to do man-in-the-middle (MITM) attacks, but MITM 
attacks are still possible against HTTPS.  Do a web search for "https 
man in the middle" for examples.  There are two main types of MITM 
attacks against HTTPS:

1. An HTTPS proxy.  This is easy to detect unless the proxy is able to 
sign SSL certificates using a certification authority trusted by the 
client (this could easily be set up by a company for its own 
workstations), but many users will click through certificate warnings 
without reading them.

2. Protocol or implementation vulnerabilities.  There have been a number 
of these over the years; an example of a recent one is the BEAST exploit 
( https://www.schneier.com/blog/archives/2011/09/man-in-the-midd_4.html ).

If I were in your situation, I would prefer the solution you originally 
posted (redirecting all HTTP requests to HTTPS) over disabling HTTPS 
entirely because it's more user-friendly.  If an attacker used a MITM 
attack against the HTTP traffic, the only thing going through your 
server is the redirect itself.  An attacker could choose to do more 
things than your server allows -- for example, they could proxy all HTTP 
requests to the HTTPS virtual host on your server, thus making your 
entire site available through them via HTTP -- but note that disabling 
HTTP on your server will do nothing to prevent this while making your 
site harder to access for users who don't know to type "https://" in 
their browser location bars as a part of all URLs for your site.

--
   Mark Montague
   mark@catseye.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message