2

I believe that this question is not duplicate of the following question. This is because the answer provided to that question only focus on user experience, while my question focus purely on security.

Scenario: I am running a small website, which is only meant to be used by me and few of my friends. I am using HTTPS to connect to the website, and I left port 80 blocked. All of the legitimate users were informed that the website will ONLY work if they put https:// on the front of the address, and everyone accepted this without any obligation and no one had any issues with this. The website requires the user to login straight from beginning, before they can access anything, which means that the SSL is required from beginning of the connection. While the HSTS is not available yet, implementation of HSTS is also planned on the server.

Question: Is blocking port 80 rendering the website more secure? I have been looking for results on google, however everything focus purely on user experience (e.g. that the user don't need to put https:// on front of the link, or otherwise the web browser wont connect.)

For this question I expect the answer to focus mainly on security. However for further reference I will be alright if the answer also highlight why blocking the port 80 is a bad idea. If this is a case I would like to ask to separate the answer into two parts.
vakus
  • 3,743
  • 3
  • 20
  • 32
  • Could you explain which security aspects you're concerned about? More secure for the user or more secure for your server? – Arminius Dec 12 '17 at 11:14
  • I am mostly concerned about the users and the data they will be sending to the server – vakus Dec 12 '17 at 11:21
  • 2
    It seems that you're mostly concerned about MITM attacks. In that case, it doesn't matter which ports you keep open on your server because the MITM can pretend to the victim that port 80 is open, even if you closed it. – Arminius Dec 12 '17 at 11:26

3 Answers3

3

In theory, closing port 80 might make the system more secure: for example, if you ran a vulnerable version of a server listening on port 80, and a different non-vulnerable version on port 443. If you're using the same software for both ports, though, it is unlikely to make any difference, unless there are specific bugs which only work on given ports. Given that most web server software is written in such a way that it can listen on any port, it seems unlikely that there would be radically different code paths taken though (it's even possible although uncommon to run HTTPS on port 80, after all).

The general principle is to minimise the number of ports exposed to the world, and since the primary benefit of opening port 80 is to aid usability, which you've said doesn't apply in this case, there is little point in opening it.

Matthew
  • 27,233
  • 7
  • 87
  • 101
  • If I can expand on this a bit: If you were to leave port 80 open, then there is a MITM attack vector where an attacker could change your redirect to redirect the user to a malicious copy of your website on a lookalike URL. Since a user may be complacent and commonly go to your HTTP site without realizing the redirect, they may become susceptible to this form of attack. Closing port 80 would force users to go directly to HTTPS and mitigate this attack (though possible at the expense of usability). – Vidia Jan 24 '19 at 23:40
  • @Vidia If there is a MITM attack, they can keep their port 80 open even if *you* don't. A port-80 MITM doesn't necessarily need to be a proxy for the "real thing." – Christopher Schultz Jan 29 '20 at 16:28
0

You could argue that disabling HTTP teaches users to always use the https:// URL, since the http:// simply doesn't work. This could make your service more secure against man-in-the-middle attackers.

Sjoerd
  • 28,707
  • 12
  • 74
  • 102
  • 1
    I'd argue it also leaves users open to other avenues of attack. If a user tries to navigate to the HTTP site (which browsers do by default) and it fails the average non-tech user isn't going to try HTTPS. They will probably search engine it - and can you ensure your site will be the first result? – Hector Dec 12 '17 at 13:12
0

Honestly you should configure your server to redirect any and all requests to HTTPS only. That way, no matter what the hell they type, it'll automatically make sure it stays as HTTPS. This is what many sites such as Facebook do, hence the reason why you never have to type the HTTPS when going to their sites. As for disabling port 80, I'd say do so regardless

James
  • 1
  • 2
    Going to HTTP to be redirected to HTTPS leaves you vulnerable to MitM (eg sslstrip). OP said they plan to use HSTS, but unless it's preloaded it still expires, meaning the MitM threat isn't entirely mitigated. – AndrolGenhald Jan 24 '19 at 15:10
  • 1
    It sounds like you're saying to disable port 80, while simultaneously responding to requests on port 80 to redirect to HTTPS. This is contradictory. – AndrolGenhald Jan 24 '19 at 15:12