39

If I have a domain, https://www.example.com. It has an SSL certificate for that domain only.

I also want to redirect people who only type example.com in their browser's address bar. Should I secure the second domain https://example.com and why, or HTTP only is enough?

I don't use a wildcard SSL certificate.

Anders
  • 64,406
  • 24
  • 178
  • 215
Michel
  • 501
  • 4
  • 6
  • 1
    It's already done but my question is should I secure the non www. What is the best practice. – Michel Mar 06 '19 at 12:18
  • 1
    @DeanMeehan it's better to read and understand the question before commenting. – ElmoVanKielmo Mar 07 '19 at 06:44
  • 2
    You should use example.org, example.net or example.com for examples. Other domain names like the one you used are often registered commercial domains. – Martin Mar 07 '19 at 11:19
  • A point which has not yet been mentioned : On **Chrome** it will redirect you without giving any errors, so aside from the other problems mentioned there there is not an issue. On **Safari** if you go to the non HTTPS version of the site, it gets muddled up and will give an error saying your certificate is invalid. – Kyle Wardle Mar 07 '19 at 14:14
  • Random note: if you did have *.example.com wildcard cert, it still doesn't cover example.com (unless you include example.com as a SAN, which as I think dana alluded to, at least some CA's will either automatically do that or at least remind you) – Foon Mar 07 '19 at 15:15

5 Answers5

85

If you don't secure example.com and a user visits that site, a man-in-the-middle attacker can manipulate the traffic and keep the user on example.com, where he can intercept all traffic.

It doesn't matter that your version of example.com redirects to https://www.example.com/. The attacker can change this behavior and offer a HTTP version of your site to the user.

user
  • 7,670
  • 2
  • 30
  • 54
Sjoerd
  • 28,707
  • 12
  • 74
  • 102
  • Is it still vulnerable knowing that the `http://mydomain.com/` will redirect (via Apache) all traffic to `https://www.mydomain.com/` ? So if you try to go to `http://mydomain.com/somepage/` Apache will send the user to `https://www.mydomain.com/` Also I have some older website that will redirect `http://mydomain.com/somepage/?with=param` to `https://www.mydomain.com/somepage/?with=param` – Michel Mar 06 '19 at 12:26
  • 13
    Yes. The legitimiate behavior of `http://mydomain.com/` is not relevant since the attacker can modify that behavior with his man-in-the-middle attack. – Sjoerd Mar 06 '19 at 13:18
  • 4
    But the first call would still be in http before redirecting to https so the man-in-the-middle can still interfere, can't he? – Michel Mar 06 '19 at 13:20
  • 25
    @Michel you should enable [HSTS](https://www.globalsign.com/en/blog/what-is-hsts-and-how-do-i-use-it/) to solve that. Certificates are free, no reason not to use them! – Josef Mar 06 '19 at 14:30
  • @Josef Isn't HSTS useless against MITM unless you're on the HSTS Preloading lists? The attacker can just strip the server's HSTS header. – Fax Mar 07 '19 at 15:59
  • 8
    @Fax HSTS isn't fully secure if your site isn't on the preload lists, but it's not useless either, because once a client connects *without* being MITMed, they'll load the correct HSTS policy, and they're no longer vulnerable. Thus, an attacker must catch the client on first connection, or they've lost their opportunity. – Gordon Davisson Mar 07 '19 at 17:05
  • 2
    @GordonDavisson and further to that, getting yourself on the preload lists is dead easy - no reason not to do that, either, once you've confirmed HTTPS working. https://hstspreload.org – ArtOfCode Mar 07 '19 at 22:20
  • @Fax it is only useless if you expect 100% of your sites visitors to visit the site for the first time in a malicious environment. But if this is your threat model you have other problems anyways. – Josef Mar 16 '19 at 14:20
17

If you don't have a certificate for example.com, anyone trying to access that (without the www. part) on HTTPS will get an error, and very likely not a redirection to www.example.com. With browsers pushing HTTPS as default protocol more and more, this will become a growing issue.

Many certificate authorities allow you to add multiple domain names in one certificate request, so you can get one certificate for both example.com and www.example.com.

user
  • 7,670
  • 2
  • 30
  • 54
Teun Vink
  • 6,788
  • 2
  • 27
  • 35
  • 6
    Are "browsers pushing HTTPS as default protocol"? Does any browser use HTTPS by default when you enter just mydomain.com? – Sjoerd Mar 06 '19 at 12:12
  • 6
    @Sjoerd: Yes. Brave tries HTTPS first by default, and many users of other browsers have installed the HTTPS Everywhere extension (https://www.eff.org/https-everywhere). – jssblck Mar 06 '19 at 20:07
  • 8
    @malexdev From what I understand, HTTPS everywhere does *not* make your browser use HTTPS by default on all sites, despite what its name says. It simply has a [whitelist](https://www.eff.org/https-everywhere/atlas/) of websites that are redirected to HTTPS. It does nothing to all other sites. – Federico Poloni Mar 06 '19 at 23:02
  • 3
    @FedericoPoloni EFF's *HTTPS Everywhere* can be set to force all connections to be made using HTTPS, even when one attempts to use HTTP. My experience is that unless one uses only "big name" sites, that mode unfortunately has a tendency to break more than it helps. – user Mar 07 '19 at 12:06
2

Yes, you should.

In your scenario, the user types the name of your domain into their browser's address bar. No protocol, no www., just example.com. Most browsers will respond by first trying to connect to http://example.com. Now an attacker has the opportunity to interfere with this request and/or the response - preventing any redirect from occurring, or redirecting the user to the wrong destination, or any other bad behaviour.

Simply supporting HTTPS on the base domain doesn't help with this, since the browser will still connect over HTTP first, and the attacker controls what happens from that point on. (Although it does have the minor advantage of providing a better experience for those rare users who type https://example.com into their browsers).

The only way to truly avoid the problem is if, when the user types example.com, the browser immediately connects over HTTPS, without waiting for a redirect. This can be achieved (in most browsers) by getting your domain onto the HSTS preload list. The requirements for adding a domain to the preload list imply that the base domain must be available over HTTPS (you can only submit the base domain for inclusion, and that's what will be checked for the first two requirements; also, the HSTS header as specified in the fourth requirement is only valid over HTTPS).

So, the answer to your question is yes - you should secure the base domain - but you should also consider fulfilling the other requirements and adding the domain to the preload list.

John Morahan
  • 1,971
  • 2
  • 10
  • 9
  • Nice point on the HSTS, it actually enforces browser redirection before any result is returned to the user. We can actually check the [Chromium's preloaded list in this .json](https://src.chromium.org/viewvc/chrome/trunk/src/net/http/transport_security_state_static.json). – CPHPython Mar 08 '19 at 10:42
1

If you have enabled SSL certificate of RapidSSL, GeoTrust, Thawte then you have no need to worry about your domain example.com because they secure both www and non www version of the domain name such as example.com & www.example.com

But yes if you need to keep www domain www.example.com as your preferred domain then you must have to redirect your non www domain example.com using 301 redirect. Same query's solution given in this topic different ssl certificate for www and non www if you are still confused.

user
  • 7,670
  • 2
  • 30
  • 54
Dana
  • 121
  • 3
  • 3
    The certificate may *cover* both the bare domain and the www subdomain, but it doesn't actually *secure* both unless it's installed correctly. – TRiG Mar 07 '19 at 10:02
0

If you will be redirecting with some information in the URL to the destination domain then be ware of then there is concern for security

You can use Letsencrypt(https://certbot.eff.org/) and get a free certificate for your domain. even if there are for redirect.

wangolo joel
  • 35
  • 2