On Thu, Jul 12, 2012 at 11:20 AM, Nick Kew <nick@xxxxxxxxxxxx> wrote: > On Thu, 12 Jul 2012 11:32:01 -0400 > Mark Montague <mark@xxxxxxxxxxx> wrote: ... >> HTTPS makes it harder to do man-in-the-middle (MITM) attacks, but MITM >> attacks are still possible against HTTPS. ... > Up to a point, Lord Copper. ... >> If I were in your situation, I would prefer the solution you originally >> posted (redirecting all HTTP requests to HTTPS) over disabling HTTPS >> entirely because it's more user-friendly. > > And if I were a man-in-the-middle, I could trivially redirect them > to my evil proxy, thus capturing the session. ... So, Nick, is it possible to have the server listen to port 80, send a generic message that the the user really needs to use https, and then terminate the connection, thus preventing the MITM? -Tom --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx