2

Currently in the process of setting up a new personal server. I've been reading about HSTS (thanks EFF!), as well as the steps for implementing on Nginx (ex: here).

What I haven't seen clearly spelled out is how to handle the initial redirect. Do I serve some static error content at port 80, redirecting to the actual site at HTTPS?

A lot of what I've read so far suggests that serving from HTTP is making your site vulnerable to MITM attacks. Others seem to suggest that as long as you have the Secure flag set on any cookies instantiated, you're good. Of course, plebeian that I am, I'm not on the preloaded HSTS site list, so that's out.

What's the deal here? Should I serve port 80 and redirect for convenience of site visitors, or am I exposing them to attack?

Full-disclosure: Non-Ops by trade, and non-secure content being served, just a hungry mind with a learning opportunity.

Community
  • 1
  • 1
ReservedDeveloper
  • 414
  • 3
  • 19
  • Use rewrite module to force https on incoming http requests and do not process http request. For your server's security, https have nothing to do with it. HTTPS just encrypts and secures data transmission between your server and visitors. If you have sensitive data to send/receive from/to visitors, then yes, https is mandatory/critical, otherwise I would say https is optional. – 72DFBF5B A0DF5BE9 Oct 21 '15 at 14:57
  • @72DFBF5BA0DF5BE9 Yeah, its definitely optional in my case. But I've got an SSL cert courtesy of my host, and am looking to stretch my mind a little. – ReservedDeveloper Oct 27 '15 at 21:32

1 Answers1

2

On your site at port 80, you just respond with a 301 response code redirecting the user to your HTTPS site at port 443. The secure site then send the "Strict-Transport-Security" header.

This will still leave your users vulnerable to man-in-the-middle attacks the very first time they visit your site. You can only mitigate this by getting your site on the preloaded HSTS list.

Don't set any cookies from the insecure site and always use the secure flag when setting cookies from the secure one.

MvdD
  • 22,082
  • 8
  • 65
  • 93
  • If I don't set any cookies on the `:80` side, is there still the risk of MITM once they've transitioned to `:443`? – ReservedDeveloper Oct 27 '15 at 21:18
  • 1
    Yes, as an attacker who performs a man-in-the-middle has complete control over what is sent to the browser when the user connects to the site using HTTP. There's no server authentication when using HTTP, so the attacker can send you to an HTTPS site he/she controls (with similar domain name for example) that looks exactly like the original site and trick you into logging in to that site with the credentials to the original site. – MvdD Oct 27 '15 at 23:54
  • I'm guessing the main snag is that you can't control what happens between User Requests HTTP --> MITM --> Server Sends Redirect to 443. Even if all you do on the port 80 side is redirect (no login, no cookies, nothing), there's probably some attack vector there? – ReservedDeveloper Oct 28 '15 at 03:30
  • 1
    Exactly, even if you don't host an endpoint on port 80, the attacker may still send a response if the client tries to connect. The only solution is to prevent the browser from making the HTTP call in the first place by being on a preloaded HSTS list. – MvdD Oct 28 '15 at 07:13
  • 1
    Fantastic. And I just found the [preload request site](https://hstspreload.appspot.com/). I was expecting more of a process for that. Thanks for the follow ups, @MvdD! – ReservedDeveloper Oct 28 '15 at 21:11
  • Yes, the sign up process is easy, but it can take a while before your domain makes it into the list. You're welcome! – MvdD Oct 29 '15 at 00:41