On Thu, Jul 12, 2012 at 11:20 AM, Nick Kew <n...@webthing.com> wrote: > On Thu, 12 Jul 2012 11:32:01 -0400 > Mark Montague <m...@catseye.org> wrote: ... >> HTTPS makes it harder to do man-in-the-middle (MITM) attacks, but MITM >> attacks are still possible against HTTPS. ... > Up to a point, Lord Copper. ... >> If I were in your situation, I would prefer the solution you originally >> posted (redirecting all HTTP requests to HTTPS) over disabling HTTPS >> entirely because it's more user-friendly. > > And if I were a man-in-the-middle, I could trivially redirect them > to my evil proxy, thus capturing the session. ...
So, Nick, is it possible to have the server listen to port 80, send a generic message that the the user really needs to use https, and then terminate the connection, thus preventing the MITM? -Tom --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
