1

My website is an information only website and all the information on it is available to all those who visit the website. There is no sensitive data and no user sessions\logins.

The content on my http site is available over both http and https. All the pages on my site are http pages. We have to load the content on the http site from https. We have been asked to do a force redirect to https for all the http reuests. I have the below queries

1. Is it ok to have content on https and the site on http. Are there any issues with this approach? Is it recommended?

2. Considering that the user sees only the 'http' url, the user still thinks he's on an unsafe site. That doesn't help?

3. Is doing a force redirect for all the http urls to https the right approach for this?

4. The main concern raised for having the content on https was that the traffic between content administrator and EPIserver CMS was not secure. Considering that there is no sensitive data, is this a valid argument? Are there any other security concerns (For eg an attacker being able to change the content) ?

5. Related to the query above, is it fine just to have the login page to the CMS over https?

6. Are there any other things I need to be aware of?

Any guidance on the above queries would be really helpful.

Chillax
  • 151
  • 5
  • 2
    Use HTTPS. What's the problem? – techraf Aug 03 '16 at 23:32
  • You mean for the website ? Client not ready to pay for https. And we cannot justify the need for https – Chillax Aug 03 '16 at 23:49
  • 4
    Sorry, but your question states that you already **are** using HTTP and HTTPS. Please [edit it](https://security.stackexchange.com/posts/131875/edit) and clarify your problem. – techraf Aug 03 '16 at 23:54
  • Haven't I clarified that the website is on http and the content available on both http and https? – Chillax Aug 04 '16 at 06:06
  • If the user willing to pay for more subdomain SSL certificate and size the server to adequate https handshake, then why not just HTTPS everything? This is not even a question if you read your webserver documentation. Most webserver has the capabilities to redirect http request to https site, while the backend just configured to point to same contents. – mootmoot Aug 04 '16 at 08:21
  • @mootmoot We did try redirecting all http requests to https, but were facing some issues, which we are looking into. We wanted to know the benefit out of doing this or if its just an overwork – Chillax Aug 04 '16 at 08:23
  • Honestly, I am no sure about the great trouble you face, as what I know about webserver like nginx, it is all about web server configuration file setting. As for the benefit : mitigate MITM attack. If you have a modern CPU take make use of quick cipher features, the CPU performance degrade will be minimal. – mootmoot Aug 04 '16 at 08:36
  • 2
    If certificate cost is an issue, [Let's Encrypt](https://letsencrypt.org/) is a solution. The fact that the client has to "pay" for HTTPS seems like a problem. HTTPS doesn't cost more to set up than HTTP (unless you are getting scammed by the webhost in which case you should change providers because serving HTTPS does not cost more than serving HTTP at the technical level). – André Borie Aug 04 '16 at 16:07
  • 1
    @GeorgeBailey Yes, I am loading HTTPS content into an HTTP page. Sorry for not making it clear enough. I control both website and content – Chillax Aug 04 '16 at 19:10
  • @Chillax, If *"content on [your] http site is available over both http and https"*, then why do you *"have to load the content [on the http site] from https"*? Knowing why the content must be served over `https` will answer whether your site needs to be `https` also. – 700 Software Aug 04 '16 at 20:12

1 Answers1

4

There is no sensitive data

Are you sure your visitor are OK to share their browsing history? Are your webpages about something they might not want to share?

  1. Is it ok to have content on https and the site on http. Are there any issues with this approach? Is it recommended?

If your website present the same content with http and https, you must specify a canonical page for search engine to avoid duplicate content problems: https://support.google.com/webmasters/answer/139066

If your redirect http to https you don't have to worry about that.

  1. Considering that the user sees only the 'http' url, the user still thinks he's on an unsafe site. That doesn't help?

If the main page is http, even if all resources are https, he is on an unsafe website. Some attacker can include malicious java, or fake login page, or ads:

http://arstechnica.com/tech-policy/2014/09/why-comcasts-javascript-ad-injections-threaten-security-net-neutrality/

https://theintercept.com/2014/08/15/cat-video-hack/

  1. Is doing a force redirect for all the http urls to https the right approach for this?

Yes, it's more secure to always redirect http to https. And better to use HSTS to prevent sslstrip:

http://resources.infosecinstitute.com/mitm-using-sslstrip/

  1. Related to the query above, is it fine just to have the login page to the CMS over https?

No. It's less secure than having https for all webpages: if you have only the login page with https, you still need to protect sessions cookies: https://en.wikipedia.org/wiki/Firesheep and you need to protect webpages that can redirect to the login page: https://moxie.org/software/sslstrip/ and any webpage where the visitor may expect a login page. So the only secure way to handle a login, is to use https in the whole domain, with HSTS.

  1. Are there any other things I need to be aware of?
Tom
  • 2,063
  • 12
  • 19