On Thu, 12 Jul 2012 11:32:01 -0400 Mark Montague <m...@catseye.org> wrote:
> On July 12, 2012 11:03 , Tom Browder <tom.brow...@gmail.com> wrote: > > I like the "friendly" approach, but I made the statement. "I want to > > have NO http traffic on my site," because I saw in a post from a > > Mozilla Persona site a reference to another link that there is a > > possibility of a man-in-the-middle attack using it. > > It is trivial to do a man-in-the-middle attack against HTTP. > > HTTPS makes it harder to do man-in-the-middle (MITM) attacks, but MITM > attacks are still possible against HTTPS. Up to a point, Lord Copper. > 1. An HTTPS proxy. Browser will warn you in no uncertain terms. You'd need a bit of social engineering: get a certificate for the domain whose traffic you're snooping on, or a domain name that pretends to be something it's not and tricks the user. Of course the latter is facilitated by "Verified by Visa" not merely encouraging but REQUIRING users to send secure data to an undisclosed third party: precisely the behaviour a fraudster needs to trick them into. > If I were in your situation, I would prefer the solution you originally > posted (redirecting all HTTP requests to HTTPS) over disabling HTTPS > entirely because it's more user-friendly. And if I were a man-in-the-middle, I could trivially redirect them to my evil proxy, thus capturing the session. If an attacker used a MITM > attack against the HTTP traffic, the only thing going through your > server is the redirect itself. An attacker could choose to do more > things than your server allows -- for example, they could proxy all HTTP > requests to the HTTPS virtual host on your server, thus making your > entire site available through them via HTTP -- but note that disabling > HTTP on your server will do nothing to prevent this It'll prevent a trivial redirect as above! > while making your > site harder to access for users who don't know to type "https://"; in > their browser location bars as a part of all URLs for your site. Why will it be harder? If there's no "http://"; URL, noone will link to it or bookmark it in the first place. All links to you (including google et al) will go directly to the secure URL. -- Nick Kew --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
