6

Our application currently has a HTTP-redirect to HTTPS. Now we want to completely remove this HTTP-binding because of security reasons, and have our users only use HTTPS by configuring "Require SSL" in IIS.

The problem is that we still have about 10% of users that make use of this HTTP-redirect page so we cannot just turn off the HTTP-redirect. A lot of users might end up calling the helpdesk.

Now an idea is to in a first release have the HTTP-redirect page link to a new page which contains information on the new link to use. In a next release we can then turn on full "Require SSL".

This solution seems okay, but it would be nicer to have a HTTP redirect to the informational page and require SSL at the same time. Is this possible?

Any other suggestions regarding this issue are very welcome as well. Thanks.

user2609980
  • 163
  • 1
  • 6

4 Answers4

4

The "Require SSL" still responds without SSL, so MITM attacks are still a possibility.

To secure the site, you should use the redirect, and then send the Strict-Transport-Security header, so that after the first visit, the users browser won't event attempt to connect without using SSL.

Further Reading

bradlis7
  • 353
  • 1
  • 5
  • 17
  • Since when attacks are coming from browsers? "...still responds without SSL...", what kind of response? – g.pickardou Feb 22 '22 at 07:22
  • @g.pickardou Man in the middle means that there's a device between the PC or browser and the server. Not the browser itself. A device could send the user trying to go to "bankly.com" to their own site ("bank1y.com") that looks the same, which allows them to trick the user into giving them info intended for the first site (login info or worse). – bradlis7 Feb 23 '22 at 23:48
2

If you turn on Require SSL then HTTP requests will fail immediately.

One trick we used (using ASP.NET) before doing the same was to check for the protocol on the default page, then issue a friendly warning, e.g.

If Not Request.IsSecureConnection Then
    loginform.visible = False
    ltl_warning.Text = "Non-secure connections will be disabled in one month, please use the secure address only: https://mysite.com"
End If
EvilDr
  • 164
  • 1
  • 2
  • 16
  • Thanks. If we have Require SSL this default page cannot be reached right? So this display page would be a temporary one for some time before the full switch. I guess there is no way around it? – user2609980 Jan 07 '15 at 11:34
  • could you look at my answer? – user2609980 Jan 07 '15 at 13:13
  • Yes, that's exactly right. – EvilDr Jan 07 '15 at 13:13
  • EvilDr, could you look at my answer and comment on if this is secure? – user2609980 Jan 07 '15 at 13:13
  • In terms of *secure*, what is the content you are trying to protect? You should not redirect to SSL on the client side because apparently it is susceptible to man-in-the-middle attacks. The user should have to click a link manually to switch to the SSL-based site, so I wouldn't use JavaScript if possible. – EvilDr Jan 07 '15 at 13:15
  • To be honest I'd be tempted to email your HTTP users and tell them, as some might not be logging in frequently anyway. Then, once its HTTPS only, you'll soon find out where the gaps are! – EvilDr Jan 07 '15 at 13:25
0

It is possible to require SSL and redirect by replacing the 403.htm page with the following:

<html>
<head><title>Redirecting...</title></head>
<script language="JavaScript">
function redirectHttpToHttps()
{
    var httpURL= window.location.hostname + window.location.pathname + window.location.search;
    var httpsURL= "https://" + httpURL;
    window.location = httpsURL;
}
redirectHttpToHttps();
</script>
<body>
</body>
</html>

Not sure if this solution takes into account the security issues we are trying to fix by the redirect though.

user2609980
  • 163
  • 1
  • 6
  • 1
    As above, JS redirects aren't recommended due to man-in-the-middle attacks and spoofed redirect pages. I can't find the link to prove this as I read it ages ago, but a link the user has to click on to get to HTTPS is better. – EvilDr Jan 07 '15 at 13:26
0

Bradlis7 has the only factually correct answer here. If MITM is your worry, nothing you do on your website will fix the issue. You can have HTTP entirely disabled for your site, if there is a man-in-the-middle agent acting upon the client side it will just say "yes, there is definitely an HTTP site, follow me."

In reality you're doing far more good for your users by just simply forwarding all HTTP traffic to HTTPS. Also in my opinion, you should forward requests for any non-HTTPS url to your home page (preferably with a note), not to the dynamic version of the requested URL, as the requested HTTP URL could have been manipulated by the third party MITM you're worried about.

ShaneB
  • 111
  • 1