This affects a lot of thank-you pages from 3rd party carts, etc. Are GET requests to HTTP that are redirect to HTTPS secure? Or, can they be snooped before the redirect takes place?
Thank you
Answer
As secure as going directly to HTTPS from HTTPS? No.
More secure than not redirecting? Yes.
The attack vector when redirecting from HTTP to HTTPS is that a MITM could modify the redirect to redirect the user to a non HTTPS version instead (aka. SSL stripping or a HTTPS downgrade attack). Navigating directly to HTTPS (or being taken there from a HTTPS page) would prevent this entirely, but redirecting the user from a non-HTTPS page still has the following security benefits:
- The user is vulnerable for a much shorter window, possibly only a single request
- Users can still manually verify that HTTPS is being used and identify when redirection hasn't taken place
HSTS attempts to address this, but it's still vulnerable if the very first request containing the Strict-Transport-Security header takes place over plain HTTP.
No comments:
Post a Comment