将 http 重定向到 https 是个坏主意吗? [英] Is redirecting http to https a bad idea?
问题描述
我正在阅读这个页面说如果站点是 SSL 并且用户尝试通过常规 http 访问它,则应用程序不应将用户重定向到 https.它应该只是阻止他.有人可以验证这个的有效性吗?这听起来不是一个好主意,我想知道将用户转发到 https 的真正风险是什么.看起来背后没有技术原因,只是它是一种教育用户的好方法.
I'm reading over this page and it says that if a site is SSL and the user tries to access it via regular http, the application should not redirect the user to https. It should just block him. Can someone verify the validity of this? It doesn't sound like a good idea, and I wonder what the real risk is of just forwarding the user to https. It seems that there is no technical reasons behind it, just that it's a good way to educate the user.
禁用对域的 HTTP 访问,甚至不要将其重定向或链接到 SSL.只要通知用户这个网站是无法通过 HTTP 访问,他们有通过 SSL 访问它.
Disable HTTP access to the domain, don’t even redirect or link it to SSL. Just inform the users this website is not accessible over HTTP and they have to access it over SSL.
这是对抗MITM的最佳实践和网络钓鱼攻击.这样你的用户将被告知应用程序永远无法通过 HTTP 访问当他们遇到网络钓鱼时或 MITM 攻击他们会知道出了点问题.
This is the best practice against MITM and phising attacks. This way your users will be educated that application never accessible over HTTP and when they come across to a phising or MITM attack they will know something is wrong.
保护您的最佳方式之一应用程序对抗 MITM 攻击和网络钓鱼攻击正在教育您用户.
One of the best ways to protect your application against MITM attacks and phising attacks is educating your users.
推荐答案
包含会话 ID cookie 的 HTTP 请求会受到会话劫持攻击.重要的是,如果您确实允许 HTTP 并重定向到 HTTPS,那么 cookie 将被标记为安全.
An HTTP request that includes a session ID cookie is subject to session hijacking attacks. It is important that if you do allow HTTP and redirect to HTTPS, that cookies are marked as secure.
我也看不出为什么需要完全阻止 HTTP 的任何技术原因,而且许多站点确实将 HTTP 转发到 HTTPS.执行此操作时,强烈建议实施 HTTP 严格传输安全 (HSTS),这是一种 Web 安全机制,它声明浏览器仅使用 HTTPS 连接.
I can't see any technical reason why HTTP needs to be completely blocked either, and many sites do forward HTTP to HTTPS. When doing this it is highly advisable to implement HTTP Strict Transport Security (HSTS) which is a web security mechanism which declares that browsers are to only use HTTPS connections.
HSTS 是通过指定响应头来实现的,例如 Strict-Transport-Security: max-age=31536000.合规的用户代理会自动将不安全的链接变成安全的链接,从而降低中间人攻击的风险.此外,如果存在证书不安全的风险,例如无法识别 root 权限,然后显示错误消息且不显示响应.
HSTS is implemented by specifying a response header such as Strict-Transport-Security: max-age=31536000. Complying user agents will automatically turn insecure links into secure links, thereby reducing the risk of man-in-the-middle attacks. Additionally, if there is a risk that the certificate isn't secure, e.g. the root authority isn't recognised, then an error message is displayed and the response is not shown.
这篇关于将 http 重定向到 https 是个坏主意吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
