httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Montague <m...@catseye.org>
Subject Re: [users@httpd] How to serve https only? Is this correct?
Date Thu, 12 Jul 2012 16:50:55 GMT
On July 12, 2012 12:20 , Nick Kew <nick@webthing.com> wrote:
>> 1. An HTTPS proxy.
> Browser will warn you in no uncertain terms.  You'd need a bit of
> social engineering:

The browser won't warn you and you won't need social engineering if the 
certificate presented by the proxy is signed by a CA trusted by the 
user's browser.  Obtaining such certificates from commercial CAs has 
been a focus of the attacks against CAs over the past three years, for 
example: 
http://tech.slashdot.org/story/11/10/28/1954201/four-cas-have-been-compromised-since-june

A more common scenario is that someone with access and control to your 
machine installs a certificate for their own self-created CA and then 
has this CA sign the certificates used by the HTTPS proxy.  The web 
browser will not complain (unless the user is using an add-on such as 
CertPatrol for Firefox), and the user will only notice if they inspect 
the certificate itself.

As an example (applicable to both of the cases above), here's an article 
on how to set up a transparent HTTPS proxy: 
http://blog.davidvassallo.me/2011/03/22/squid-transparent-ssl-interception/


>> If I were in your situation, I would prefer the solution you originally
>> posted (redirecting all HTTP requests to HTTPS) over disabling HTTPS
>> entirely because it's more user-friendly.
> And if I were a man-in-the-middle, I could trivially redirect them
> to my evil proxy, thus capturing the session.

And the MITM can still do this, even if your web server is not listening 
on port 80, to capture the traffic of anyone who tries to access your 
site by typing the FQDN into their web browser's address bar without 
specifying the protocol.

Granted, this will likely be a smaller set of people than if you 
accepted HTTP traffic and redirected it to HTTPS.


>> 	while making your
>> site harder to access for users who don't know to type "https://" in
>> their browser location bars as a part of all URLs for your site.
> Why will it be harder?  If there's no "http://" URL, noone will link
> to it or bookmark it in the first place.  All links to you (including
> google et al) will go directly to the secure URL.

I guess this depends on the habits of your user population.  If people 
only use links and bookmarks, then your point is valid.  However, I have 
observed my users typing "www.example.com" into the address bar of their 
web browser in order to get to sites (in addtion to using web searches, 
links, and bookmarks).  Based on this observation, I'd weigh security 
with user friendliness and choose set up HTTP-to-HTTPS redirects for 
either just / or for all URL paths for all but the most 
security-critical sites.

--
   Mark Montague
   mark@catseye.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message