3

Configuring on Apache HTTPD server, many articles on the web advise to enforce HTTPS protocol by redirecting (permanently) all HTTP request to HTTPS.

Below is what I understand is happening when a user tries to reach a server supporting both HTTP and HTTPS :

  1. Client's user agent (web browser for example, but not only) sends a request to http://my.domain.com.
  2. Server receives request on port 80, and sends a permanent redirection (code 301) to https://my.domain.com.
  3. Client's user agent receives the response. Given the status code, it sends the same request to https://my.domain.com.
  4. Server receives request on port 443 and sends back the wanted content.

So, if the request contains sensitive data, between steps 1 and 2, a man-in-the-middle could recover it, non-ciphered, in the request.

If the client uses a web browser, this browser keeps in cache the 301 redirection, and the next time the client send a request using HTTP, it will automatically send it using HTTPS instead.

But, what if the client clears the cache often ? Or use another user agent than a web browser, which does not store the permanent redirection ? Don't we lose the benefit of HTTPS here ?

A concrete example : a REST API, and the requests contain sensitive data. This API can be called from any HTTP client (online, embed in a software or website, standalone).

In this case, could it be better to just disable HTTP support on server level in order to enforce the use of HTTPS ?

Edit 2017-11-14:

sys0dm1n told me about HSTS below. But the security provided by this mechanism depends entirely on the user agent's compliance to the specification.

Edit 2017-11-15:

I edit my post after the first answers I receive, to precise my concern.

Kjartan
  • 18,591
  • 15
  • 71
  • 96
Eria
  • 2,653
  • 6
  • 29
  • 56
  • 2
    Maybe you'll find it helpful: https://stackoverflow.com/questions/4365294/is-redirecting-http-to-https-a-bad-idea. – Opal Nov 14 '17 at 14:31

2 Answers2

4

To make sure always your website is using https for security, one way is to enable HSTS

Automatically turn any insecure links referencing the web application into secure links.

To enable it, you need to add a header in your vHost configuration:

Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"

Make sure the Header module is enabled.

You can follow the instruction here and add your domain for inclusion in Chrome's HTTP Strict Transport Security (HSTS) preload list.

This is a list of sites that are hardcoded into Chrome as being HTTPS only.

sys0dm1n
  • 819
  • 6
  • 13
  • The security provided by HSTS depends only on the user agent compliance with the specification. Is SoapUI compliant ? (ie. will it convert protocol to HTTPS _before_ sending the request to the server, as specified ?) Is curl compliant ? Or any requesting tool... – Eria Nov 14 '17 at 16:33
2

"Would disabling http entirely help?"

It probably would. I'm updating and changing my answer from 2017, because as user kamilz points out in the comments below, I was clearly to hasty, and drew the wrong conclusion. To quote Kamilz:

If the destination server is known but it doesn't listen on port 80 (or port 80 is blocked), TCP handshake should fail and still no HTTP data would be sent over the wire. If it listens on 80, it will accept TCP connection and data would be send over the wire in the plaintext.

That makes sense, of course. So why could I see the sensitive data in the pictures below? Kamilz explains that too:

Fiddler acts as a web proxy and that's why it is able to see original request.

That data is simply not sent yet - it was still on my machine, and no DNS lookup had yet been performed. At some point after having passed through Fiddler, the DNS lookup would have been performed, but no valid IP address would have been found1, and since there would be no valid IP, there would be no place to send the content at all.

(1. That is, assuming nobody registers the address http://somefakeurlthatdoesnotexistanywhare.com, with my silly spelling error and all).

Previous, incorrect answer

For context, here's my original answer (who knows, it might even be enlightening, and help others avoid drawing the same false conclusion):

No, I don't think it would, and here`s why: Presumably, your client / browser does not know if a site running http exists before a request is sent. Sure, it will receive an error code like 404 or something similar, but at that point, the original request will already have been sent over the wire, and any "man in the middle" may well have been able to observe that request.

As a simple illustration of the problem, here's a call to a fake http-url, made from Postman, an caught in Fiddler. As you can see, a 502 error is returned, but the original request still contained the sensitive data.

enter image description here

Now just for a comparison, if I do the same, but just change the url to https instead, I get a different result in Fiddler:

enter image description here

This tries to set up a tunnel, and does not reveal any of the post-data.

So in conclusion, your best option is probably to enable HSTS and get your site on the HSTS preload list, which should stop any HTTP-request from being sent to begin with (at least for recent versions of most major browsers).

Kjartan
  • 18,591
  • 15
  • 71
  • 96
  • I agree it's not ideal for a public website. But for a REST API, for example. You could specify that every request must be sent using HTTPS. So the client will be aware of that. And yes, in the first request using HTTP, an attacker could read potential sensible data. But if my frontal Apache server redirects it to HTTPS, what will make the user to change protocol ? nothing. If he gets an error, he will correct the request protocol (particularly in case of an automated requesting tool, such as a batch script). – Eria Nov 15 '17 at 10:38
  • For me, HSTS is a great practice. I didn't know about it, and I certainly will enable it. But I don't think it's enough. – Eria Nov 15 '17 at 10:56
  • 1
    @Eria You're right, ofcourse - for a REST API, it makes no sense to provide a http-version of or your service, or to redirect to https - you're probably better off providing https only. My point is just that disabling http will not hinder a client from sending a http request. HTSTS on the other hand will do exactly that - at least for clients that implement it. – Kjartan Nov 15 '17 at 11:18
  • 1
    I don't think this answer is correct. At least the presented evidence is not. Fiddler acts as a web proxy and that's why it is able to see original request. What happens in presented case is that DNS resolution fails and no HTTP data is sent anywhere as the destination is just unknown. – kamilz Apr 05 '23 at 14:06
  • 1
    If the destination server is known but it doesn't listen on port 80 (or port 80 is blocked), TCP handshake should fail and still no HTTP data would be sent over the wire. If it listens on 80, it will accept TCP connection and data would be send over the wire in the plaintext. – kamilz Apr 05 '23 at 14:07
  • 1
    @kamilz Thanks, appreciate the feedback, even after almost six years! :D I took the liberty of quoting your comment in my revised answer. – Kjartan May 08 '23 at 11:44