Hacker News new | ask | show | jobs
by bjpbakker 2946 days ago
Redirecting HTTP requests to HTTPS should not be the default thing to do. It introduces vulnerabilities (such as MITM attacks) that are hardly considered in most configurations (from what I've seen around).

The default connection to your web server should be HTTPS, not HTTP. HSTS is an option to set this up properly.
3 comments
mseebach 2946 days ago
You should definitely use HSTS, but I think this is about catching those people entering "website.com" in their browser, where the default behaviour (having never visited the site before) is connecting via HTTP. You want those redirected to a HSTS enabled HTTPS connection immediately, and this seems to be a good place to put this functionality?
link
bjpbakker 2946 days ago
> catching those people entering "website.com"

When the domain is registered to use HSTS their browser will use a TLS connection the first time they ever connect to your website.

> You want those redirected to a HSTS enabled HTTPS connection immediately

Websites that depend on advertising probably do as they often want to support very old browsers. Otherwise there's no real need for a redirect/connection upgrade IMO.

link
nailer 2946 days ago
First time a client connects it'll be HTTP. Then they'll see the HSTS header. Subsequent connections will be HTTPS
link
bjpbakker 2946 days ago
That's why there is the HSTS preload list [0], so that browsers can know this before making the HTTP request.

If you don't want to add your domain to the preload list, you will have to (automatically) redirect/upgrade users to HTTPS, or bounce them.

[0] - https://hstspreload.org/

link
merb 2946 days ago
> That's why there is the HSTS preload list

which has the following requirements: 1. Serve a valid certificate. 2. Redirect from HTTP to HTTPS on the same host, if you are listening on port 80.

oops.

link
bjpbakker 2946 days ago
In the second part of that sentence:

> if you are listening on port 80

You don’t have to accept trafic on the http port for HSTS preloading. But iff you do you must redirect it.

This rule makes sense; at least you should never serve content over http.

link
orev 2941 days ago
This is one of those things security people say that just does not jibe with reality. Everything in security is a trade off with usability, and not having your site on http, just for a redirect to https, is just completely not feasible.
link
lozenge 2946 days ago
Even if you are not listening on port 80, a MITM attack could just pretend to be you and listen on port 80.
link