On Thu, 09 May 2013 09:59:23 +0200, rakesh mailgroups
<[email protected]> wrote:
Hi all,
I've just been told that using HTTPS may not be secure enough for a
business to business integration system I'm building.
I went looking for more details and I found that a man-in-the-middle
attack
is possible. My reading of the situation is that if a client asks for a
service on port 80, the server responds with a 302 redirect to port 443
and
then the communication begins encrypted.
The vulnerability is a potential snooper on the line may see the port 80
request and instead return a different request to the client and then be
able to sniff the traffic.
Could this be prevented by just getting the client to go straight to port
443?
At some point, I have to provide a url for the other organisation to use
and I could say its https://mysecuresite.com/blah.
A call to port 80 would return forbidden or something similar.
Would that work?
If you're doing b2b, disabling port 80 is surely doable and it would just
skip the vulnerable step you discussed. But I've got a question: if you
use X509 certificates to authenticate both ends, I don't see how the
fraudulent redirect can harm, at least in the scenario you discussed. If
you're redirected to a false peer, it shouldn't be able to authenticate
with the original certificate. Unless somebody stolen the private key at
the peer, but in this case you've got other problems...
Just my 2 cents in a few minutes. The argument is clearly more complicated.
--
Fabrizio Giudici - Java Architect @ Tidalwave s.a.s.
"We make Java work. Everywhere."
http://tidalwave.it/fabrizio/blog - [email protected]
--
You received this message because you are subscribed to the Google Groups "Java
Posse" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/javaposse?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
