1

Yes, yet another question on HTTP to HTTPS redirection. But this one talks about a quite quirky situation.

This is a follow up question on Security of an initial redirection from http://example.com to https://example.com and Link from a Http page to a Https page - is it a security issue?. After reading both I got worried about a small hack that I use trying to prevent:

  1. The issues outlined in the first question.
  2. Giving away the URLs the user access.

My original purpose with this hack was because an URL of the form http://example.org/article/<hash>/some-country-does-something-bad/ returning

HTTP/1.1 301 Moved Permanently
Location: https://example.org/article/<hash>/some-country-does-something-bad/

Gives away the information that this article actually exists on the page.

Instead I return this (more-or-less, with all the bloat removed):

HTTP/1.1 404 Not Found

<!DOCTYPE html>
<html>
<head></head>
<body>
    Please visit the page securely at
    <a href="https://example.org">https://example.org</a>.
</body>
</html>

But now I'm vulnerable to SSLstrip. Bummer.

Notes:

  • I perform this because the majority of the page is available through HTTP, but some sensitive content isn't.
  • I cannot switch the page completely to HTTPS because the advertisers (the font of income, so it is quite important) do not support TLS.
  • I do not use HSTS.
  • I never ever set any cookies in HTTP, and all cookies are marked secure.
  • The <hash> is actually sha1 of the content of the article, unless you have a link you simply cannot scan random URLs.
  • The users (well, most of them) are clever enough to understand that they need to change the URL by hand.

Question

Can I get rid of the SSLstrip issue? Or, maybe, there is a better way to perform this?

(Probably there is a better way, this thing is terribly hacky, but I could not think of a cleverer way to make it work)

grochmal
  • 5,757
  • 2
  • 19
  • 30
  • you could make a token that IDs the secure url, and use ajax to fetch that url given the token, over https. – dandavis Aug 28 '16 at 22:14
  • 1
    Why is "giving away the information that this article actually exists on the page" with a 301 a problem to you? Plus, your "solution" with the 404 and textual link still advertises the existence, just a little bit hidden from the protocol level. – Marcel Aug 29 '16 at 06:13
  • @Marcel - Well, I send that same 404 for all possible pages. i.e. whether that article exists or not. Then again, now that I think about this, I guess the 301s happen 99% for existing pages only. – grochmal Aug 29 '16 at 17:17

1 Answers1

4

If you need to protect against a MITM then full-on https+HSTS is the only way, no working around that.

Regarding the 301 redirection giving away that the article exists that's not really true. The redirection can (and usually does) happen before additional actions are taken on the request. If the article doesn't exist you can send the 404 reply after the redirection.

GnP
  • 2,299
  • 1
  • 16
  • 25
  • Good point, I was thinking about the fact that giving a 301/302 followed by a 404 may make sense. But someone monitoring the traffic would not see the 404 (or 200), since it comes through a TLS channel. Then again, random 301s to completely inexistent pages could also happen. I wonder, how often a 301/302 may hit a non-existent page? – grochmal Aug 28 '16 at 23:43
  • @grochmal as many random requests for non existent pages as you get over http on paths that need to be redirected. – GnP Aug 28 '16 at 23:57
  • Eyup, now that I think of it that way, digging up page existence from 301s may be a fools errand (i.e. had I been trying to guess page existence I would not try that vector). In the end I'll need to push for HSTS but for the time being making a direct 301 seems better. Thanks. – grochmal Aug 29 '16 at 17:20