31

For this question I will use the following domains:

  • example.com - an online shop
  • exmpl.com - a domain which is used for sharing items.

exmpl.com will be used for redirects (e.g. http://exmpl.com/foo will redirect to https://example.com/items/42).

I have the following questions:

  • How important is it that exmpl.com should be encrypted?
  • Does it matter at all if it has https or only http?
  • Of course, if it doesn't have https, one who attempts to access https://exmpl.com will not be able to do so, but are there any side effects?
  • On the other side, why would a company prefer to support only http in this context?
jrtapsell
  • 3,169
  • 15
  • 30
Ionică Bizău
  • 813
  • 2
  • 10
  • 15

3 Answers3

47

Should redirect sites use HTTPS

If the main site uses HTTPS then the redirect site should too.

What attacks are possible if it does not

Passive Attacker

  • Can see every item looked at by the user
  • May get extra information (which site/chat linked to the page)

Active Attacker

Anything a passive attacker can, and...

  • Can MITM the connection and use something like SSLStrip to prevent the connection upgrading to HTTPS, allowing then to watch passwords, credit card numbers, etc.
  • Can add a cookie to the reply, allowing them to track a user
  • Can redirect the traffic to a phishing site, or a site that installs malware.

How to prevent using HTTP entirely, to stop tools like SSLStrip

  • You can serve an HSTS header, so only the first visit (and the first visit once the header expires) will use HTTP, so an attacker cannot intercept the traffic
  • If you with to prevent these weaknesses you can add your site to the HSTS Preload List, which will prevent HTTP connections.
  • This would need to apply for both sites, as if the main site is HSTS but the redirect then the attacker could redirect to a site they control instead, bypassing HSTS.

Should I use HTTPS

Generally, YES

There are very few occasions when you can get away with not using HTTPS, all of these need to apply:

  • You manually sign your data - and always verify the signature

  • You do not care about people finding out your software is running on someone's machine

  • You do not handle any sensitive information, or information users may want to keep secret
  • You won't accidentally get sensitive information sent over your system
    • An example would be ACARS, it's wasn't meant for sensitive information, but credit card numbers have been sent over it without realising the problems caused. [forum, paper]
  • You do not care or can detect if someone swaps around the files, using other valid signed ones
  • The service does not imply sensitive data (a page about a disease may not be sensitive, but the fact that someone is searching about the disease may be sensitive).
jrtapsell
  • 3,169
  • 15
  • 30
  • ITYM "if the main site is HSTS but the redirect >>is not<< then the attacker could" – dave_thompson_085 Jan 20 '18 at 05:57
  • The three points under active attacker, could you not say the same for all the sites in the world that is not on the HSTS preload list where the first request is also http. – Esben Skov Pedersen Jan 20 '18 at 14:25
  • That is true, but if you set HSTS long enough then the attack window is quite narrow (Once every year or 18 months) – jrtapsell Jan 20 '18 at 14:35
  • I don't follow. If we are talking about the first request from a new client to a site not using HSTS preload list. Then the first request is always http. How is there any difference from an external site(tiny url), or the same site on http? – Esben Skov Pedersen Jan 21 '18 at 16:23
8

There are very few cases where using just plain HTTP and not HTTPS is a good idea. This is probably not one of them.

Consider this scenario: A user clicks a link to http://exmpl.com/foo, hoping to buy some new foo. A man in the middle intercepts the request, and responds with a phishing copy of https://example.com/items/42 instead of a redirect to the legitimate one. The user, being lazy as users are, doesn't check what url he was redirected to - after all, he knew he clicked the right link. Instead he proceeds to enter his credit card details into the phishing site. He thinks he's shopping for foo on a legitimate site, while in fact he is getting scammed.

Sure, the user made a mistake here. But it's a mistake that would not have mattered had you only used HTTPS.

Anders
  • 64,406
  • 24
  • 178
  • 215
  • 1
    "_There are very few cases_" mostly, a domain only hosts a few signed files, which one is retrieved is not privacy relevant, signature is checked automatically by all client software... and the hash of these files can be verified from another (secure) server – curiousguy Jan 19 '18 at 15:46
  • The user knows that exmpl.com belongs to Example Co Ltd. why would he know that it should have been sent to example.com and it's not just a change in how the company displays products? – Ángel Jan 20 '18 at 02:53
7

When the user is privacy-conscious, they might want to minimize the amount of data an eavesdropper can collect about them. When you use HTTPS, then the whole request is encrypted. The eavesdropper only knows which server the user accessed and (approximately) how much data was exchanged.

When exmpl.com doesn't use HTTPS, the eavesdropper knows:

  • Subject accessed http://exmpl.com/foo
  • Subject received a http-redirected to https://example.com/items/42
  • Subject accessed an unknown (but now easy to infer) URL on the domain example.com
  • Subject received a long encrypted response

When you use HTTPS, all the attacker knows:

  • Subject accessed an unknown URL on the domain exmpl.com
  • Subject received a short encrypted response
  • Subject accessed an unknown URL on the domain example.com
  • Subject received a long encrypted response

The attacker doesn't learn which redirect the user used and so they don't learn that that the user visited items/42. The attacker also can not be sure that these two accesses were related.

Philipp
  • 48,867
  • 8
  • 127
  • 157