You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Tom Browder <to...@gmail.com> on 2012/07/12 13:02:18 UTC
[users@httpd] How to serve https only? Is this correct?
I want to have NO http traffic on my site. Is this the correct way to
ensure I serve everything on my site via https:
<VirtualHost *:80>
ServerName tb.com
ServerAlias *.tb.com
Redirect permanent / https://tb.com/
</VirtualHost>
...
Thanks so much.
Best regards,
-Tom
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] How to serve https only? Is this correct?
Posted by Mark Montague <ma...@catseye.org>.
On July 12, 2012 12:20 , Nick Kew <ni...@webthing.com> wrote:
>> 1. An HTTPS proxy.
> Browser will warn you in no uncertain terms. You'd need a bit of
> social engineering:
The browser won't warn you and you won't need social engineering if the
certificate presented by the proxy is signed by a CA trusted by the
user's browser. Obtaining such certificates from commercial CAs has
been a focus of the attacks against CAs over the past three years, for
example:
http://tech.slashdot.org/story/11/10/28/1954201/four-cas-have-been-compromised-since-june
A more common scenario is that someone with access and control to your
machine installs a certificate for their own self-created CA and then
has this CA sign the certificates used by the HTTPS proxy. The web
browser will not complain (unless the user is using an add-on such as
CertPatrol for Firefox), and the user will only notice if they inspect
the certificate itself.
As an example (applicable to both of the cases above), here's an article
on how to set up a transparent HTTPS proxy:
http://blog.davidvassallo.me/2011/03/22/squid-transparent-ssl-interception/
>> If I were in your situation, I would prefer the solution you originally
>> posted (redirecting all HTTP requests to HTTPS) over disabling HTTPS
>> entirely because it's more user-friendly.
> And if I were a man-in-the-middle, I could trivially redirect them
> to my evil proxy, thus capturing the session.
And the MITM can still do this, even if your web server is not listening
on port 80, to capture the traffic of anyone who tries to access your
site by typing the FQDN into their web browser's address bar without
specifying the protocol.
Granted, this will likely be a smaller set of people than if you
accepted HTTP traffic and redirected it to HTTPS.
>> while making your
>> site harder to access for users who don't know to type "https://" in
>> their browser location bars as a part of all URLs for your site.
> Why will it be harder? If there's no "http://" URL, noone will link
> to it or bookmark it in the first place. All links to you (including
> google et al) will go directly to the secure URL.
I guess this depends on the habits of your user population. If people
only use links and bookmarks, then your point is valid. However, I have
observed my users typing "www.example.com" into the address bar of their
web browser in order to get to sites (in addtion to using web searches,
links, and bookmarks). Based on this observation, I'd weigh security
with user friendliness and choose set up HTTP-to-HTTPS redirects for
either just / or for all URL paths for all but the most
security-critical sites.
--
Mark Montague
mark@catseye.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] How to serve https only? Is this correct?
Posted by Tom Browder <to...@gmail.com>.
On Thu, Jul 12, 2012 at 11:20 AM, Nick Kew <ni...@webthing.com> wrote:
> On Thu, 12 Jul 2012 11:32:01 -0400
> Mark Montague <ma...@catseye.org> wrote:
...
>> HTTPS makes it harder to do man-in-the-middle (MITM) attacks, but MITM
>> attacks are still possible against HTTPS.
...
> Up to a point, Lord Copper.
...
>> If I were in your situation, I would prefer the solution you originally
>> posted (redirecting all HTTP requests to HTTPS) over disabling HTTPS
>> entirely because it's more user-friendly.
>
> And if I were a man-in-the-middle, I could trivially redirect them
> to my evil proxy, thus capturing the session.
...
So, Nick, is it possible to have the server listen to port 80, send a
generic message that the the user really needs to use https, and then
terminate the connection, thus preventing the MITM?
-Tom
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] How to serve https only? Is this correct?
Posted by Nick Kew <ni...@webthing.com>.
On Thu, 12 Jul 2012 11:32:01 -0400
Mark Montague <ma...@catseye.org> wrote:
> On July 12, 2012 11:03 , Tom Browder <to...@gmail.com> wrote:
> > I like the "friendly" approach, but I made the statement. "I want to
> > have NO http traffic on my site," because I saw in a post from a
> > Mozilla Persona site a reference to another link that there is a
> > possibility of a man-in-the-middle attack using it.
>
> It is trivial to do a man-in-the-middle attack against HTTP.
>
> HTTPS makes it harder to do man-in-the-middle (MITM) attacks, but MITM
> attacks are still possible against HTTPS.
Up to a point, Lord Copper.
> 1. An HTTPS proxy.
Browser will warn you in no uncertain terms. You'd need a bit of
social engineering: get a certificate for the domain whose traffic
you're snooping on, or a domain name that pretends to be something
it's not and tricks the user.
Of course the latter is facilitated by "Verified by Visa" not merely
encouraging but REQUIRING users to send secure data to an undisclosed
third party: precisely the behaviour a fraudster needs to trick
them into.
> If I were in your situation, I would prefer the solution you originally
> posted (redirecting all HTTP requests to HTTPS) over disabling HTTPS
> entirely because it's more user-friendly.
And if I were a man-in-the-middle, I could trivially redirect them
to my evil proxy, thus capturing the session.
If an attacker used a MITM
> attack against the HTTP traffic, the only thing going through your
> server is the redirect itself. An attacker could choose to do more
> things than your server allows -- for example, they could proxy all HTTP
> requests to the HTTPS virtual host on your server, thus making your
> entire site available through them via HTTP -- but note that disabling
> HTTP on your server will do nothing to prevent this
It'll prevent a trivial redirect as above!
> while making your
> site harder to access for users who don't know to type "https://" in
> their browser location bars as a part of all URLs for your site.
Why will it be harder? If there's no "http://" URL, noone will link
to it or bookmark it in the first place. All links to you (including
google et al) will go directly to the secure URL.
--
Nick Kew
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] How to serve https only? Is this correct?
Posted by Mark Montague <ma...@catseye.org>.
On July 12, 2012 11:03 , Tom Browder <to...@gmail.com> wrote:
> I like the "friendly" approach, but I made the statement. "I want to
> have NO http traffic on my site," because I saw in a post from a
> Mozilla Persona site a reference to another link that there is a
> possibility of a man-in-the-middle attack using it.
It is trivial to do a man-in-the-middle attack against HTTP.
HTTPS makes it harder to do man-in-the-middle (MITM) attacks, but MITM
attacks are still possible against HTTPS. Do a web search for "https
man in the middle" for examples. There are two main types of MITM
attacks against HTTPS:
1. An HTTPS proxy. This is easy to detect unless the proxy is able to
sign SSL certificates using a certification authority trusted by the
client (this could easily be set up by a company for its own
workstations), but many users will click through certificate warnings
without reading them.
2. Protocol or implementation vulnerabilities. There have been a number
of these over the years; an example of a recent one is the BEAST exploit
( https://www.schneier.com/blog/archives/2011/09/man-in-the-midd_4.html ).
If I were in your situation, I would prefer the solution you originally
posted (redirecting all HTTP requests to HTTPS) over disabling HTTPS
entirely because it's more user-friendly. If an attacker used a MITM
attack against the HTTP traffic, the only thing going through your
server is the redirect itself. An attacker could choose to do more
things than your server allows -- for example, they could proxy all HTTP
requests to the HTTPS virtual host on your server, thus making your
entire site available through them via HTTP -- but note that disabling
HTTP on your server will do nothing to prevent this while making your
site harder to access for users who don't know to type "https://" in
their browser location bars as a part of all URLs for your site.
--
Mark Montague
mark@catseye.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] How to serve https only? Is this correct?
Posted by Filipe Cifali <ci...@gmail.com>.
If you want no traffic, don't listen.
Block on firewall w/ tcp-reject and don't use Apache to listen to http.
A more "friendly" way is to redirect VIA firewall all --dport 80 to --dport
443.
2012/7/12 Tom Browder <to...@gmail.com>
> On Thu, Jul 12, 2012 at 9:08 AM, Mark Montague <ma...@catseye.org> wrote:
> > On July 12, 2012 8:02 , Tom Browder <to...@gmail.com> wrote:
> >> On Thu, Jul 12, 2012 at 6:37 AM, Nick Kew<ni...@webthing.com> wrote:
> >>> On 12 Jul 2012, at 12:02, Tom Browder wrote:
> >>>
> >>>> I want to have NO http traffic on my site. Is this the correct way
> to...
> ...
> > Nick's answer is the correct and literal answer. The "single solution
> for
> > HTTPS only" that you are looking for is:
> >
> > - Delete any Listen directive for port 80 and also
> > - Delete any VirtualHost stanza for port 80 (for example, your
> "<VirtualHost
> > *:80>" stanza.
> ...
> > The configuration you posted in your original message will accept HTTP
> > traffic and redirect all of it to the HTTPS virtual host. This is the
> > "standard" and "user friendly" solution that most sites which want to
> secure
> > all of their pages implement, but note that the initial redirects all
> occur
> > over HTTP and so you are still accepting some small amount of HTTP
> traffic.
> > The reasons you want to have no HTTP traffic on your site are important
> to
> > consider in order to choose the best overall solution: If port 80 is
> > blocked at your firewall, or if you are concerned about people taking
> > advantage of some theoretical (and unlikely) security hole in Apache HTTP
> > Server that is exploitable over HTTP but not over HTTPS, then you'd want
> the
> > solution Nick presented.
>
> Thanks for the reply, Mark.
>
> I like the "friendly" approach, but I made the statement. "I want to
> have NO http traffic on my site," because I saw in a post from a
> Mozilla Persona site a reference to another link that there is a
> possibility of a man-in-the-middle attack using it.
>
> Best regards,
>
> -Tom
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
--
[]'s
Filipe Cifali Stangler
Re: [users@httpd] How to serve https only? Is this correct?
Posted by Tom Browder <to...@gmail.com>.
On Thu, Jul 12, 2012 at 9:08 AM, Mark Montague <ma...@catseye.org> wrote:
> On July 12, 2012 8:02 , Tom Browder <to...@gmail.com> wrote:
>> On Thu, Jul 12, 2012 at 6:37 AM, Nick Kew<ni...@webthing.com> wrote:
>>> On 12 Jul 2012, at 12:02, Tom Browder wrote:
>>>
>>>> I want to have NO http traffic on my site. Is this the correct way to...
...
> Nick's answer is the correct and literal answer. The "single solution for
> HTTPS only" that you are looking for is:
>
> - Delete any Listen directive for port 80 and also
> - Delete any VirtualHost stanza for port 80 (for example, your "<VirtualHost
> *:80>" stanza.
...
> The configuration you posted in your original message will accept HTTP
> traffic and redirect all of it to the HTTPS virtual host. This is the
> "standard" and "user friendly" solution that most sites which want to secure
> all of their pages implement, but note that the initial redirects all occur
> over HTTP and so you are still accepting some small amount of HTTP traffic.
> The reasons you want to have no HTTP traffic on your site are important to
> consider in order to choose the best overall solution: If port 80 is
> blocked at your firewall, or if you are concerned about people taking
> advantage of some theoretical (and unlikely) security hole in Apache HTTP
> Server that is exploitable over HTTP but not over HTTPS, then you'd want the
> solution Nick presented.
Thanks for the reply, Mark.
I like the "friendly" approach, but I made the statement. "I want to
have NO http traffic on my site," because I saw in a post from a
Mozilla Persona site a reference to another link that there is a
possibility of a man-in-the-middle attack using it.
Best regards,
-Tom
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] How to serve https only? Is this correct?
Posted by Mark Montague <ma...@catseye.org>.
On July 12, 2012 8:02 , Tom Browder <to...@gmail.com> wrote:
> On Thu, Jul 12, 2012 at 6:37 AM, Nick Kew<ni...@webthing.com> wrote:
>> On 12 Jul 2012, at 12:02, Tom Browder wrote:
>>
>>> I want to have NO http traffic on my site. Is this the correct way to
>> No.
> I see lots of mixed http/https setups, but no
> single solution for https only is a locked down site.
Nick's answer is the correct and literal answer. The "single solution
for HTTPS only" that you are looking for is:
- Delete any Listen directive for port 80 and also
- Delete any VirtualHost stanza for port 80 (for example, your
"<VirtualHost *:80>" stanza.
If you do this, Apache HTTP Server will not use HTTP for any client, and
clients that access http://tb.com/ (in your example) will get an error
saying that they were unable to establish a connection. The error
message will be the same error message they will get if they try to
access a machine that is not running a web server at all.
The configuration you posted in your original message will accept HTTP
traffic and redirect all of it to the HTTPS virtual host. This is the
"standard" and "user friendly" solution that most sites which want to
secure all of their pages implement, but note that the initial redirects
all occur over HTTP and so you are still accepting some small amount of
HTTP traffic.
The reasons you want to have no HTTP traffic on your site are important
to consider in order to choose the best overall solution: If port 80
is blocked at your firewall, or if you are concerned about people taking
advantage of some theoretical (and unlikely) security hole in Apache
HTTP Server that is exploitable over HTTP but not over HTTPS, then you'd
want the solution Nick presented. But if you simply want to ensure
that all actual content is served securely while not making your site
difficult to access by non-technical users (e.g., those who omit typing
"https://" at the start of the URL in their web browser's location bar)
then you probably are asking the wrong question -- you probably DO want
your web server to accept HTTP, but use the configuration that you had
in your original message to redirect all HTTP request to HTTPS.
--
Mark Montague
mark@catseye.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] How to serve https only? Is this correct?
Posted by Tom Browder <to...@gmail.com>.
On Thu, Jul 12, 2012 at 6:37 AM, Nick Kew <ni...@webthing.com> wrote:
>
> On 12 Jul 2012, at 12:02, Tom Browder wrote:
>
>> I want to have NO http traffic on my site. Is this the correct way to
>
> No.
Thanks for the reply, Nick. I have a stack of Apache security books
(as well as your modules book), but I am looking for a cookbook
example for the situation. Ryan Barnett's book, Preventing Web
Attacks with Apache, has a detailed http.conf file but doesn't show a
fully working one. And I see lots of mixed http/https setups, but no
single solution for https only is a locked down site.
I also notice some subtleties vis-a-vis 2. vs. 2.4 as I read
more--I'll make sure I'm running 2.4.
So I will cobble on.
Best regards,
-Tom
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] How to serve https only? Is this correct?
Posted by Nick Kew <ni...@webthing.com>.
On 12 Jul 2012, at 12:02, Tom Browder wrote:
> I want to have NO http traffic on my site. Is this the correct way to
No.
The Listen directive determines whether you serve HTTP traffic.
What you have only affects how you respond to HTTP traffic once
you have already accepted it.
--
Nick Kew
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org