Re: [users@httpd] How to serve https only? Is this correct?

Thu, 12 Jul 2012 08:32:29 -0700 

On July 12, 2012 11:03 , Tom Browder <tom.brow...@gmail.com> wrote:
I like the "friendly" approach, but I made the statement. "I want to have NO http traffic on my site," because I saw in a post from a Mozilla Persona site a reference to another link that there is a possibility of a man-in-the-middle attack using it. 

It is trivial to do a man-in-the-middle attack against HTTP.


HTTPS makes it harder to do man-in-the-middle (MITM) attacks, but MITM 
attacks are still possible against HTTPS.  Do a web search for "https 
man in the middle" for examples.  There are two main types of MITM 
attacks against HTTPS:



1. An HTTPS proxy.  This is easy to detect unless the proxy is able to 
sign SSL certificates using a certification authority trusted by the 
client (this could easily be set up by a company for its own 
workstations), but many users will click through certificate warnings 
without reading them.



2. Protocol or implementation vulnerabilities.  There have been a number 
of these over the years; an example of a recent one is the BEAST exploit 
( https://www.schneier.com/blog/archives/2011/09/man-in-the-midd_4.html ).



If I were in your situation, I would prefer the solution you originally 
posted (redirecting all HTTP requests to HTTPS) over disabling HTTPS 
entirely because it's more user-friendly.  If an attacker used a MITM 
attack against the HTTP traffic, the only thing going through your 
server is the redirect itself.  An attacker could choose to do more 
things than your server allows -- for example, they could proxy all HTTP 
requests to the HTTPS virtual host on your server, thus making your 
entire site available through them via HTTP -- but note that disabling 
HTTP on your server will do nothing to prevent this while making your 
site harder to access for users who don't know to type "https://"; in 
their browser location bars as a part of all URLs for your site.


--
  Mark Montague
  m...@catseye.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org























					Reply via email to