[aeon10]

Alot of ecommerce sites (Amazon, Flipkart) seem to use HTTP over HTTPS. Even when you're logged in. These sessions can easily be hijacked. I assume this is because of the handshake latency of HTTPS. Is there no way around this latency to make your website feel faster? I imagine there isnt, because even amazon uses HTTP.

[joevandyk]

amazon uses https for any important/sensitive pages. there's two sessions, one for http, one for https.

[IsTom]

What if HTTP page is mitmed and links to secure pages are replaced to point to somewhere else? It's all or nothing.

[mro]

What if DNS is mitmed?

[ars_technician]

No one cares as long as you are using HTTPS, which is the point.

If you aren't using HTTPS for all of your site, you are vulnerable to MITM attacks.

[troels]

Presumably, the browser still needs to interrogate dns even if it talks over https, no?

[jholman]

Sure, and this is what HTTPS certificates from a CA are for. If your users are willing to click through the "warning: self-signed certificate" popups, then they're vulnerable, of course. But if they don't make that mistake, then your DNS result is reliable unless someone compromises the CA. Of course, CAs do get compromised.

Or did I miss the point of your comment?

[aeon10]

Can you explain more on how two sessions would work? I mean if the hijacker hijacks the http session he can convert it to https by following the same steps the user does. Since amazon does not ask the user to reauthenticate on https pages.

[amarraja]

You can set the secure flag when creating a cookie which will only send it over an HTTPS connection.

It is possible to use both schemes, but it is likely better to stick to all SSL if possible in case of developer error causing something to get exposed when it shouldn't.

[keeperofdakeys]

You have two cookies, one for HTTP, one for HTTPS. The latter uses a secure flag so it can't be seen with HTTP connections. When the user logs in, both are set.