On July 12, 2012 12:20 , Nick Kew <nick@xxxxxxxxxxxx> wrote:
1. An HTTPS proxy.Browser will warn you in no uncertain terms. You'd need a bit of social engineering:
The browser won't warn you and you won't need social engineering if the certificate presented by the proxy is signed by a CA trusted by the user's browser. Obtaining such certificates from commercial CAs has been a focus of the attacks against CAs over the past three years, for example: http://tech.slashdot.org/story/11/10/28/1954201/four-cas-have-been-compromised-since-june
A more common scenario is that someone with access and control to your machine installs a certificate for their own self-created CA and then has this CA sign the certificates used by the HTTPS proxy. The web browser will not complain (unless the user is using an add-on such as CertPatrol for Firefox), and the user will only notice if they inspect the certificate itself.
As an example (applicable to both of the cases above), here's an article on how to set up a transparent HTTPS proxy: http://blog.davidvassallo.me/2011/03/22/squid-transparent-ssl-interception/
If I were in your situation, I would prefer the solution you originally posted (redirecting all HTTP requests to HTTPS) over disabling HTTPS entirely because it's more user-friendly.And if I were a man-in-the-middle, I could trivially redirect them to my evil proxy, thus capturing the session.
And the MITM can still do this, even if your web server is not listening on port 80, to capture the traffic of anyone who tries to access your site by typing the FQDN into their web browser's address bar without specifying the protocol.
Granted, this will likely be a smaller set of people than if you accepted HTTP traffic and redirected it to HTTPS.
while making your site harder to access for users who don't know to type "https://" in their browser location bars as a part of all URLs for your site.Why will it be harder? If there's no "http://" URL, noone will link to it or bookmark it in the first place. All links to you (including google et al) will go directly to the secure URL.
I guess this depends on the habits of your user population. If people only use links and bookmarks, then your point is valid. However, I have observed my users typing "www.example.com" into the address bar of their web browser in order to get to sites (in addtion to using web searches, links, and bookmarks). Based on this observation, I'd weigh security with user friendliness and choose set up HTTP-to-HTTPS redirects for either just / or for all URL paths for all but the most security-critical sites.
-- Mark Montague mark@xxxxxxxxxxx --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx