I'm reading over this page and it says that if a site is SSL and the user tries to access it via regular http, the application should not redirect the user to https. It should just block him. Can someone verify the validity of this? It doesn't sound like a good idea, and I wonder what the real risk is of just forwarding the user to https. It seems that there is no technical reasons behind it, just that it's a good way to educate the user.
Disable HTTP access to the domain, don’t even redirect or link it to SSL. Just inform the users this website is not accessible over HTTP and they have to access it over SSL.
This is the best practice against MITM and phising attacks. This way your users will be educated that application never accessible over HTTP and when they come across to a phising or MITM attack they will know something is wrong.
One of the best ways to protect your application against MITM attacks and phising attacks is educating your users.
Why should you use Force HTTPS on your website? Using HTTPS instead of HTTP means that communications between your browser and a website is encrypted via the use of an SSL (Secure Socket Layer). Even if your website doesn't handle sensitive data, it's a good idea to make sure your website loads securely over HTTPS.
If you're going to collect sensitive information or conduct transactions online, you should plan on changing from http to https on your website.
Summary. HTTP changes automatically to HTTPs because it is configured in this way. To be simple, modern Web Hosting companies automatically configure SSL and Redirect settings. This means, visitors are automatically redirected from HTTP to HTTPs.
Issues from redirecting HTTP to HTTP can be due to the following reasons: Incomplete transfer or change of domain website to HTTPS. Not updating the URLs. Using expired SSL certificates.
An HTTP request that includes a session ID cookie is subject to session hijacking attacks. It is important that if you do allow HTTP and redirect to HTTPS, that cookies are marked as secure.
I can't see any technical reason why HTTP needs to be completely blocked either, and many sites do forward HTTP to HTTPS. When doing this it is highly advisable to implement HTTP Strict Transport Security (HSTS) which is a web security mechanism which declares that browsers are to only use HTTPS connections.
HSTS is implemented by specifying a response header such as Strict-Transport-Security: max-age=31536000
. Complying user agents will automatically turn insecure links into secure links, thereby reducing the risk of man-in-the-middle attacks. Additionally, if there is a risk that the certificate isn't secure, e.g. the root authority isn't recognised, then an error message is displayed and the response is not shown.
Going from HTTP to HTTPS is actually a not-so-good idea. For example, an attacker could do a man-in-the-middle attack using a tool like ssl strip. To address this problem, you should use the HSTS protocol. It's supported by all major browsers (Internet Explorer, which is the latest adopter, is supporting it starting from IE12), and in use by many of the top sites (e.g., Paypal, Google).
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With