On July 12, 2012 12:20 , Nick Kew <n...@webthing.com> wrote:
1. An HTTPS proxy.
Browser will warn you in no uncertain terms. You'd need a bit of
social engineering:
The browser won't warn you and you won't need social engineering if the
certificate presented by the proxy is signed by a CA trusted by the
user's browser. Obtaining such certificates from commercial CAs has
been a focus of the attacks against CAs over the past three years, for
example:
http://tech.slashdot.org/story/11/10/28/1954201/four-cas-have-been-compromised-since-june
A more common scenario is that someone with access and control to your
machine installs a certificate for their own self-created CA and then
has this CA sign the certificates used by the HTTPS proxy. The web
browser will not complain (unless the user is using an add-on such as
CertPatrol for Firefox), and the user will only notice if they inspect
the certificate itself.
As an example (applicable to both of the cases above), here's an article
on how to set up a transparent HTTPS proxy:
http://blog.davidvassallo.me/2011/03/22/squid-transparent-ssl-interception/
If I were in your situation, I would prefer the solution you originally
posted (redirecting all HTTP requests to HTTPS) over disabling HTTPS
entirely because it's more user-friendly.
And if I were a man-in-the-middle, I could trivially redirect them
to my evil proxy, thus capturing the session.
And the MITM can still do this, even if your web server is not listening
on port 80, to capture the traffic of anyone who tries to access your
site by typing the FQDN into their web browser's address bar without
specifying the protocol.
Granted, this will likely be a smaller set of people than if you
accepted HTTP traffic and redirected it to HTTPS.
while making your
site harder to access for users who don't know to type "https://" in
their browser location bars as a part of all URLs for your site.
Why will it be harder? If there's no "http://" URL, noone will link
to it or bookmark it in the first place. All links to you (including
google et al) will go directly to the secure URL.
I guess this depends on the habits of your user population. If people
only use links and bookmarks, then your point is valid. However, I have
observed my users typing "www.example.com" into the address bar of their
web browser in order to get to sites (in addtion to using web searches,
links, and bookmarks). Based on this observation, I'd weigh security
with user friendliness and choose set up HTTP-to-HTTPS redirects for
either just / or for all URL paths for all but the most
security-critical sites.
--
Mark Montague
m...@catseye.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org