Any security concerns using a http redirect to https?

Hi!

are there significant security concerns if we activate a http redirect to https?

Its easy to implement, but should it be used?

.) another port (80) will be opened

.) another port will give additional possibilities for WS compromising

.) weak implementation of the http protocol can be used for compromising the WS

.) weakness in the redirect implementation itself can be used

What would you do?

We are running WS 6.1 SP4 on Solaris 9.

Nick

[504 byte] By [der_niki] at [2007-11-26 9:15:02]

«« Customising Error Pages
»» Acquiring a Password DURING boot

# 1

I wouldn't worry about uncovering additional vulnerabilities in the web server software itself. Instead, I think you need to be concerned about sensitive information being accidentally transmitted over unsecured HTTP due to human error:

1. A user might mistakenly attempt to access http://example.com/secret instead of https://example.com/secret, where "secret" is sensitive information that should not be transmitted in plain text.

2. A web content developer or web application developer might mistakenly use an http:// URL in hosted content. This could result in sensitive URIs or form data being transmitted in clear text.

In both cases, if you have a server listening on port 80, the sensitive information will be transmitted in plain text. If your didn't have a server listening on port 80, the web browser would have reported an error and the sensitive information would not have been exposed.

Whether these concerns are "significant" depends on the information being exchanged. I suspect they're not.

elving at 2007-7-6 23:39:39 >

top of Java-index,Web & Directory Servers,Web Servers...

# 2

well, in our case no text is transmitted via http because the redirect should only help users to correct their URL mistyping when opening the (first) homepage.

der_niki at 2007-7-6 23:39:39 >

# 3

You've missed my point entirely. Yes, that is what the the non-SSL port "should" do. However, the risk is that other information will be unintentionally exposed through human error.

elving at 2007-7-6 23:39:39 >

# 4

Hi elving,

even so our application doesn't expect any user input data in the URL when the homepage is called.

So for example

http://financial-site.com/<user-credentials> <-- makes no sense

http://financial-site.com/<some arbitrary code here>

simply is redirected to

https://financial-site.com

And from this page onwards user can transmit their credentials (login data).

Did I miss the point ?

der_niki at 2007-7-6 23:39:39 >

# 5

This depends largely on how you implement the redirect. One thing to worry about is properly escaping the URL you redirect the users to, so as not to introduce CRLF vulnerabilities. E.G., you don't want to field a request for

/something.html%0D%0ASet-Cookie:+foo=bar

and then output

Location: https://example.com/something.html

Set-Cookie: foo=bar

PeterWatkins at 2007-7-6 23:39:39 >

Java programming resources: FAQs, tutorials, compiler and browser download sites, documentation, books lists, IDEs, etc.

Any security concerns using a http redirect to https?

Web & Directory Servers New Topic

Web & Directory Servers Hot Topic

Web & Directory Servers

All Classified