Is redirecting http to https a bad idea?

security https ssl

Solution 1:

An HTTP request that includes a session ID cookie is subject to session hijacking attacks. It is important that if you do allow HTTP and redirect to HTTPS, that cookies are marked as secure.

I can't see any technical reason why HTTP needs to be completely blocked either, and many sites do forward HTTP to HTTPS. When doing this it is highly advisable to implement HTTP Strict Transport Security (HSTS) which is a web security mechanism which declares that browsers are to only use HTTPS connections.

HSTS is implemented by specifying a response header such as Strict-Transport-Security: max-age=31536000. Complying user agents will automatically turn insecure links into secure links, thereby reducing the risk of man-in-the-middle attacks. Additionally, if there is a risk that the certificate isn't secure, e.g. the root authority isn't recognised, then an error message is displayed and the response is not shown.

Solution 2:

Going from HTTP to HTTPS is actually a not-so-good idea. For example, an attacker could do a man-in-the-middle attack using a tool like ssl strip. To address this problem, you should use the HSTS protocol. It's supported by all major browsers (Internet Explorer, which is the latest adopter, is supporting it starting from IE12), and in use by many of the top sites (e.g., Paypal, Google).

Solution 3:

I don't see any technical risk (except from the one in the update at the end of my answer) on redirecting from HTTP to HTTPS. For example, gmail and yahoo mail are doing it. You can check that by using a HTTP debugging tool (like Fiddler), where you can clearly the 302 redirect response returned by the server.

I believe that blocking is a bad idea from an usability perspective. Many times users are entering an address in the browser without specifing HTTP or HTTPS. For example, I access gmail by typing "mail.google.com", which defaults to "http://mail.google.com" and which is automatically redirected to "https://mail.google.com". Without the automatic redirect I will always have to type the full address.

I agree with the quoted article that HTTPS is the best method against MITM attacks, but I don't agree it is the best practice against phising. User education is indeed a key factor against phising attacks (the users have to check that they are accessing the site from the correct domain), but in no way you make that education by blocking HTTP redirect to HTTPS.

Update @Pedro and @Spolto are right. Special care must be taken related to sensitive cookies (like session or authentication cookies), which indeed should be marked as secure, so that they will only be transmitted over HTTPS. I've missed that one. +1 both you guys.

Related

React: trigger onChange if input value is changing by state?
Call a Subroutine from a different Module in VBA
How to migrate code from SVN to GIT without losing commits history? [duplicate]
Is it possible to make a PhoneGap app for iOS without Mac?
Angular.js and ASP.NET MVC 4 [closed]
What are "data-require" "data-semver" in HTML files?
Dependencies Between Workflows on Github Actions
Designing a web crawler
Call specific client from SignalR
What are skolems?
git cannot apply binary patch *** without full index line
Understanding Popen.communicate