17

I was doing a security research on storing the session id in local storage instead of storing it in cookies. I understand that it is not possible to tag the values in local storage as HttpOnly and so it may be vulnerable to XSS attacks. Since all the inputs are properly validated I am free from this issue.

But the other issue I found is the tampering of data while transferring to the server. Since my local storage session ID cannot be tagged under Secure, it is possible that it can be transmitted through an un-encrypted channel (HTTP). To mitigate this, I want to know if it is possible to access a page via HTTP which is secured with SSL.

RoraΖ
  • 12,317
  • 4
  • 51
  • 83
Anandu M Das
  • 1,981
  • 14
  • 31
  • 46
  • 1
    It depends entirely on what the server allows, assuming it's the server you think it is. – OrangeDog Oct 24 '14 at 14:27
  • 4
    1. The answer to your question will depend on how the server behaves; we don't have enough information to say. Some servers will serve pages under both HTTP and HTTPS; some won't. What have you tried? Have you tried changing the `https:` in the URL to `http:` and trying to visit that address, to see how the server responds? 2. Why can't you tag the cookie `secure`? Have you looked at HSTS? What research have you done? – D.W. Oct 24 '14 at 16:02
  • 1
    "Since all the inputs are properly validated I am free from this issue." This is a dangerous mentality to have. Mistakes and oversights happen, which is why defense in depth is such an important concept in security – Stephen Touset Oct 27 '14 at 02:09
  • @Stephen Touset I appreciate that. Validation won't make perfect security. I agree. But since the topic of discussion wasn't related to that, I skipped it quickly to my topic. – Anandu M Das Oct 27 '14 at 08:09
  • @D.W I have done much research on it. I have tried changing https into http,tried some addons doing this, etc. Since I was totally unaware of HSTS i couldn't read much about this. Thank you for introducing that. – Anandu M Das Oct 27 '14 at 08:11

3 Answers3

11

A page which is secured with SSL (or TLS for that matter) cannot be accessed via HTTP, as that would mean that the page is not secured anymore.

If I rephrase the question: Is it possible to access a particular page of a HTTPS secured website via HTTP, then I would say that is possible, but very INsecure. Moreover, the cookie with the session ID will probably have to be sent along with every page request, as you need to track the session across several pages. That would imply that you need to serve almost every page over HTTP, which thus renders your site insecure.

In case you need the session cookie on only one page, you could tell the client to carry out a HTTP request to that one page, which will then sent along all cookies that don't have the 'secure' flag set. However, this means that all these cookies are vulnerable to a MITM attack, and can be read by anyone listening in on your communication.

My advice: do not ever consciously serve a page of a HTTPS site over HTTP.

So, the question you need to ask yourself is why can't my session ID be tagged secure only. Is it laziness, or is there another reason why you cant tag this cookie as being secure?

By the way, to force a browser to always use HTTPS for a website (and not rely on 302 redirects to visit the HTTPS version), HTTP Strict Transport Security can be used. Please refer to OWASP for more information.

Michael
  • 5,393
  • 2
  • 32
  • 57
  • I understand that using cookies under an httpOnly and secure tag is the most safest method. But I asked this question only as a research purpose. Anyway thanks for the response. Up-voted. – Anandu M Das Oct 24 '14 at 12:21
3

Yes it is of course.

  • The simplest example is the user who just submits the request as http://..., either unconsciously or by will.
  • The (potentially malicious) web server could do that too, by just sending a 30x redirection or a page with all further hyperlinks pointing to http:// instead of https://

Example for the latter one: connect to https://www.amazon.com and you will land on a page without any SSL protection.

Marcel
  • 3,494
  • 1
  • 18
  • 35
  • I appreciate the second case. But regarding the first case, if I try to access facebook or gmail via http, my browser won't allow me to do that. It redirects to https. – Anandu M Das Oct 24 '14 at 12:16
  • 6
    To force a browser to always use HTTPS for a website (and not rely on 302 redirects to visit the HTTPS version), HTTP Strict Transport Security can be used. Please refer to https://www.owasp.org/index.php/HTTP_Strict_Transport_Security for more information. AFAIK, Facebook does not use HSTS, and uses normal redirects triggered on the web server. Gmail (in Chrome) does use HSTS. – Michael Oct 24 '14 at 12:27
  • No, the server doesn't allow you to do that. The browser just does what the server says. – OrangeDog Oct 24 '14 at 14:25
-2

Yes it is

If TLS/SSL negotiation fails, then the browser fallback to HTTP (while staying over HTTPS port and the URL), the same way it can fallback to SSL3.
I took this screenshot while browsing GitHubproof of the first statement

user2284570
  • 1,402
  • 1
  • 14
  • 33
  • Are you saying that a server will display a page unsecured if secure negotiation fails? – schroeder Oct 27 '14 at 21:14
  • 1
    I'm also not sure what you're screenshot is supposed to prove. How did you generate that message? – schroeder Oct 27 '14 at 21:21
  • @schroeder : Yes, if all protocol fails (all SSL version and TLS), then, the server can allow fallback to an unsecured *(if configured)* connection over https. This behaviour cannot be refused in major web-browsers. The Screenshot is took from my Web Browser *(Opera 12.50)*. It tell the server failed to apply security measures, so the browser use a non secured connection *(where security measures are the configured protocols list the browser advertise to support (they where all disabled for the screenshot))*. – user2284570 Oct 28 '14 at 01:36
  • 2
    @schroeder: Yes [this is possible](http://stackoverflow.com/a/1930339/413180) depending on which cipher suites are made available. However, user2284570 you should have included some references (in English) to back this up in your answer. Extraordinary claims require extraordinary evidence. ;-) – SilverlightFox Oct 28 '14 at 14:17
  • Let me clarify: are you saying that by default, a server will allow unsecured connection if the initial session was established securely? – schroeder Oct 28 '14 at 14:23
  • 1
    @schroeder: I assume you mean HTTP session rather than TLS connection? In that case yes if the server supports unsecured ciphers and the browser is switched to use one. I think this whole question isn't very well defined - it is far too vague for a good answer as it stands. – SilverlightFox Oct 28 '14 at 14:33
  • The question is to access https:// or SSL content through http:// protocol, what is not posible by design. Also, that answer is talking about load http:// or "non secure" resources at the current https session, that means literally that those parts of data can be visible for others on the network, including the ISP. – m3nda Mar 01 '15 at 05:17
  • @erm3nda : No, my anwser tell if a secure negotiation fails for https, then data will be send and received like with an http:// URL *(communications will happens over plain TCP without SSL layer)*, but it would still use an https:// like URL. – user2284570 Mar 01 '15 at 16:21
  • @user2284570 Question is not about to be able to connect http trough an initial https connection. Is about send https content over the http protocol. Im still working on that, because im not an expert and i don't know how the server&browser pair handles http/https protocols. – m3nda Mar 01 '15 at 19:44
  • @erm3nda : The title and "To mitigate this, I want to know if it is possible to access a page via HTTP which is secured with SSL" makes it clear it is about sending/receiving plain HTTP on an HTTPS *(HTTP over SSL)* only page. – user2284570 Mar 01 '15 at 21:25
  • http is not a type of data, is the protocol it uses. Maybe the asker is not asking a right thing. IM confused now. – m3nda Mar 03 '15 at 00:29
  • @erm3nda : I never talked it about a type of type data. your are the only one to bring it. Or maybe you aren't understanding the OSI model? – user2284570 Mar 07 '15 at 08:25
  • So, finally, that would be only possible if the website owner allow you to get http (server rules). I will never fallback to non SSL over when i work with important data. But i read again lot of times the ask, and you're right. His question is about to get the http version of an https (by default or not) website. But, sometimes we forgot that the https is in fact ANOTHER website on another port, but that usually shows the same info. Regards user. A condensed answer would be: Yes, in default environrments, or if the owner don't block you to do so. – m3nda Mar 07 '15 at 18:51
  • 2
    That screenshot says "Encryption protocol" "AES". Seems like you're still using https (http over TLS). The browser did not fall back to http. You're gonna have to do a little more digging to find out why the browser says the connection is insecure. Don't assume that it's because encryption is not being used. – Navin Jan 21 '21 at 04:58
  • @Navin the browser not but at the cipher level, there s no encryption. – user2284570 Jan 21 '21 at 05:22
  • 2
    Says who? The browser says it's using AES. Post a wireshark screenshot showing plaintext in the packet and I'll believe you – Navin Jan 21 '21 at 05:44
  • @Navin : no, it says it failed to applied such said encryption level… – user2284570 Feb 01 '22 at 13:40
  • Dude, just google the error message (“The server attempted to apply security measures, but failed"). Here’s someone else that got the same message except this guy confirmed that it was caused by an http on an https page and had nothing to do with encryption: https://webmasters.stackexchange.com/questions/47779/https-connection-treated-differently-across-browsers – Navin Feb 02 '22 at 18:25