Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Securing webcal subscriptions with https

I publish webcal URLs which allow users of my web app to subscribe to various calendars. It's my understanding that applications which recognise webcal URLs will default to http, but I'd like to secure the file transfers with https. The following apache rewrite rule works, but is this an appropriate solution?

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [R,L]

Yes, everything at this domain should be served over https. I'm aware that I could substitute webcal with https, but then I'd lose the benefit of the webcal URI scheme (i.e. simple subscription). I have seen some mention of webcals on the web, but there's little information and Apple's iCal doesn't like it.

I plan to use basic authentication with these calendars. Is there an issue with making a request over http first and then redirecting to https?

like image 862
Jez Hailwood Avatar asked Nov 04 '10 10:11

Jez Hailwood


1 Answers

Yes, there can be a problem: the initial request is going to be sent over HTTP, including headers and so on.

It's not necessarily a problem if the initial request doesn't include the credentials and then the response to the HTTP Basic authentication challenge is only sent in the second request, which would be to the HTTPS URL. However, there is a chance that some clients may use pre-emptive authentication, in which case the credentials would be sent (effectively in clear) in the first, plain-HTTP request.

As I was saying in this answer, redirecting from HTTP to HTTPS doesn't always provide as much security as one would like.

(Regarding webcal:// URLs, I think some clients support the webcals:// scheme for the HTTPS equivalent.)

like image 180
Bruno Avatar answered Sep 28 '22 10:09

Bruno