重定向http到https是一个坏主意? [英] Is redirecting http to https a bad idea?
问题描述
我正在阅读此页面及其如果站点是SSL并且用户尝试通过常规http访问它,则应用程序不应将用户重定向到https。它应该阻止他。有人可以验证这个的有效性吗?这听起来不是一个好主意,我想知道将用户转发到https的真正风险是什么。它似乎背后没有任何技术原因,只是它是一种教育用户的好方法。
I'm reading over this page and it says that if a site is SSL and the user tries to access it via regular http, the application should not redirect the user to https. It should just block him. Can someone verify the validity of this? It doesn't sound like a good idea, and I wonder what the real risk is of just forwarding the user to https. It seems that there is no technical reasons behind it, just that it's a good way to educate the user.
禁用对域的HTTP访问,
甚至不重定向或将其链接到SSL。
只是告知用户这个网站是
无法通过HTTP访问,他们有
通过SSL访问它。
Disable HTTP access to the domain, don’t even redirect or link it to SSL. Just inform the users this website is not accessible over HTTP and they have to access it over SSL.
这是针对MITM
和网络钓鱼攻击的最佳做法。通过这种方式你的
用户将接受教育,
应用程序永远无法通过HTTP
访问,当他们遇到一个p
或MITM攻击他们就会知道
出错了。
This is the best practice against MITM and phising attacks. This way your users will be educated that application never accessible over HTTP and when they come across to a phising or MITM attack they will know something is wrong.
保护您的
申请免受MITM攻击和
网络钓鱼攻击的最佳方法之一是教育您的
用户。
One of the best ways to protect your application against MITM attacks and phising attacks is educating your users.
推荐答案
包含会话ID cookie的HTTP请求受到会话劫持攻击。重要的是,如果您允许HTTP并重定向到HTTPS,那么cookie将被标记为安全。
An HTTP request that includes a session ID cookie is subject to session hijacking attacks. It is important that if you do allow HTTP and redirect to HTTPS, that cookies are marked as secure.
我看不出任何技术原因导致HTTP需要完全阻止了,许多网站都将HTTP转发到HTTPS。执行此操作时,强烈建议实施HTTP严格传输安全性(HSTS),这是一种Web安全机制,声明浏览器仅使用HTTPS连接。
I can't see any technical reason why HTTP needs to be completely blocked either, and many sites do forward HTTP to HTTPS. When doing this it is highly advisable to implement HTTP Strict Transport Security (HSTS) which is a web security mechanism which declares that browsers are to only use HTTPS connections.
HSTS是通过指定响应标头来实现的,例如 Strict-Transport-Security:max-age = 31536000 。遵守用户代理会自动将不安全链接转换为安全链接,从而降低中间人攻击的风险。另外,如果存在证书不安全的风险,例如如果无法识别根权限,则会显示错误消息并且不显示响应。
HSTS is implemented by specifying a response header such as Strict-Transport-Security: max-age=31536000. Complying user agents will automatically turn insecure links into secure links, thereby reducing the risk of man-in-the-middle attacks. Additionally, if there is a risk that the certificate isn't secure, e.g. the root authority isn't recognised, then an error message is displayed and the response is not shown.
这篇关于重定向http到https是一个坏主意?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
