On July 12, 2012 11:03 , Tom Browder <tom.brow...@gmail.com> wrote:
I like the "friendly" approach, but I made the statement. "I want to
have NO http traffic on my site," because I saw in a post from a
Mozilla Persona site a reference to another link that there is a
possibility of a man-in-the-middle attack using it.
It is trivial to do a man-in-the-middle attack against HTTP.
HTTPS makes it harder to do man-in-the-middle (MITM) attacks, but MITM
attacks are still possible against HTTPS. Do a web search for "https
man in the middle" for examples. There are two main types of MITM
attacks against HTTPS:
1. An HTTPS proxy. This is easy to detect unless the proxy is able to
sign SSL certificates using a certification authority trusted by the
client (this could easily be set up by a company for its own
workstations), but many users will click through certificate warnings
without reading them.
2. Protocol or implementation vulnerabilities. There have been a number
of these over the years; an example of a recent one is the BEAST exploit
( https://www.schneier.com/blog/archives/2011/09/man-in-the-midd_4.html ).
If I were in your situation, I would prefer the solution you originally
posted (redirecting all HTTP requests to HTTPS) over disabling HTTPS
entirely because it's more user-friendly. If an attacker used a MITM
attack against the HTTP traffic, the only thing going through your
server is the redirect itself. An attacker could choose to do more
things than your server allows -- for example, they could proxy all HTTP
requests to the HTTPS virtual host on your server, thus making your
entire site available through them via HTTP -- but note that disabling
HTTP on your server will do nothing to prevent this while making your
site harder to access for users who don't know to type "https://" in
their browser location bars as a part of all URLs for your site.
--
Mark Montague
m...@catseye.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org