oss-sec mailing list archives

Re: HTTPS (was: rubygems insecure download (and other problems))

From: Pavel Labushev <pavel.labushev () runbox no>
Date: Sat, 17 Aug 2013 11:42:04 +0800

On Thu, 15 Aug 2013 10:38:09 +0400
gremlin () gremlin ru wrote:

On 14-Aug-2013 14:59:12 -0600, Kurt Seifried wrote:

 > everyone should be enabling HTTPS where possible,

Very dangerous mistake. HTTPS should be used only for non-anonymous
access, otherwise plain HTTP is preferred. In any case, let the users
choose whether they want to use it.


Well, there's a problem with HTTP -> HTTPS transition if it happens
during or after user authentication: if a login form resides on a page
obtained through HTTP, there's a opportunity for an attacker to steal
users' credentials by tampering the page's content during MitM before
the transition occurs. Of course you can redirect users to a separate
login page over HTTPS, but:
- IMHO, if they get used to HTTP and the lack of HTTPS indication
during their anonymous experience, then the chances they will check the
bar before filling the form may be lower than if they would have been
using HTTPS by default.
- Some people may consider it much less ergonomic and somewhat
contrary to the original look and feel, especially for the Pjax-based
sites.

Attachment: _bin
Description:

Current thread:

Re: HTTPS, (continued)
- - - Re: HTTPS Pavel Labushev (Aug 22)
  - Re: HTTPS Kurt Seifried (Aug 15)
    - Re: HTTPS gremlin (Aug 15)
    - Re: HTTPS Donald Stufft (Aug 15)
    - Re: HTTPS Florian Weimer (Aug 15)
    - Re: HTTPS gremlin (Aug 16)
    - Re: HTTPS gremlin (Aug 15)
    - Re: HTTPS Jeremy Stanley (Aug 15)
    - Re: HTTPS gremlin (Aug 16)
    - Re: HTTPS Kurt Seifried (Aug 15)
  - Re: HTTPS (was: rubygems insecure download (and other problems)) Pavel Labushev (Aug 16)
  - Re: HTTPS Alexander Cherepanov (Aug 26)
- Re: rubygems insecure download (and other problems) Reed Loden (Aug 15)