occasionally useful ruby, ubuntu, etc


Why not HTTPS every page?

It frustrates me to no end when I find login pages served from insecure (HTTP) pages (I'm looking at you, VerizonWireless and CenturyLink). I'll often put in garbage credentials and hit submit so it'll redirect me to a secure version of the login page with the "invalid credentials" error on top. But it occurred to me, this isn't much safer either.

The conventional wisdom, as far as I can tell, is to have certain pages be served securely (login/register, account management) and to have other pages served insecurely (homepage, informational pages, etc). But this doesn't make sense to me, because the only way to reach the secure pages is from the insecure pages. Which means it's not enough to simply have your homepage link to a separate secure login page -- that's not secure. A determined attacker could perform a MITM attack on the homepage and just alter that link to point to their own site, and hope people don't notice. In fact it might be really hard for people to notice if the attack is sufficiently clever -- I recall there was an attack in which an alternate version of the microsoft.com domain was registered using a unicode character very closely resembling the letter "o", but not actually an "o".

Even if you secure every page, the attacker could go further because you need to have an HTTP version of each page that redirects to the HTTPS version (e.g. http://www.dropbox.com/ redirects to https://www.dropbox.com/). Since that's insecure, an attacker could intercept that as well and redirect to another site. There isn't a perfect solution for this, but there is a way to mitigate this approach: HSTS. Once you've visited a site with HSTS enabled (assuming a compliant browser), all future insecure links to that site will be rewritten as HTTPS links, and if the security of the site can't be ensured, display an error. The initial HTTP request is still vulnerable, but all subsequent requests are secured.

So the next time I create a website that has at least one page handling sensitive information (e.g. credentials), I'll be making every page HTTPS and using the HSTS policy headers. It's the only way to strongly mitigate MITM attacks that I can see.

Disclaimer: I'm not a security researcher, just documenting some ideas I've been pondering about. Please don't rely on this blog as your sole or authoritative source for securing your website.

Filed under: security Leave a comment
Comments (0) Trackbacks (0)

No comments yet.

Leave a comment

No trackbacks yet.