Why should I offer HTTP in addition to HTTPS?

  • I am setting up a new webserver. In addition to TLS/HTTPS, I'm considering implementing Strict-Transport-Security and other HTTPS-enforcement mechanisms.

    These all seem to be based on the assumption that I am serving http://www.example.com in addition to https://www.example.com. Why don't I just serve HTTPS only? That is, is there a security-based reason to serve HTTP -- for example, could someone spoof http://www.example.com if I don't set up HSTS?

    non browsers can have a lot more trouble fetching content, if that's a concern. Sites like craigslist thrive on mashups, for example. i don't see the harm in leaving some http sections open, for non-human "users"; they don't care about phishing, xss, or privacy, and you don't even need to serve HTML...

    @dandavis - is that really a problem? If Craigslist went to HTTPS only, wouldn't everyone just convert their fetch scripts over to HTTPS? Most HTTP client libraries include HTTPS support.

    How are people supposed to spread FUD about HTTPS being impractical if you run an HTTPS-only site without any problems? Think, man! And what about the poor hackers who want to attack grandmas who haven't heard of HTTPS-everywhere? It's like you're trying to promote a more secure web or something.

    @Johnny: not as much infra supports https as http, that's all. it will get better...

    @dandavis That's something that puzzles me... all major browser should start trying https *before* http... this would solve a sh*tload of security problems...

  • Ronny

    Ronny Correct answer

    4 years ago

    Why don't I just serve https only?

    The main reasons are the default behavior of browsers and backward compatibility.

    Default behavior

    When an end-user (i.e, without knowledge in protocols or security) types the website address in its browser, the browser uses by default HTTP. See this question for more information about why browsers are choosing this behavior.

    Thus, it is likely that users will not be able to access your website.

    Backward compatibility

    It is possible that some users with old systems and old browsers do not support HTTPS or more likely, do not have an up-to-date database of root certificates, or do not support some protocols.

    In that case, they either will not be able to access the website or will have a security warning. You need to define whether the security of your end-users is important enough to force HTTPS.

    Many websites still listen to HTTP but automatically redirects to HTTPS and ignore users with really old browsers.

    could someone spoof http://www.example.com if I don't set up HSTS?

    If an attacker wants to spoof http://www.example.com, it needs to take control of the domain or take control of the IP address in some way.

    I assume you meant: could an attacker perform a man-in-the-middle attack?

    In that case yes, but even with or without HSTS:

    • Without HSTS: An attacker can easily be in the middle of your server and the user, and be active (i.e, modify the content) or passive (i.e., eavesdrop)

    • With HSTS: The first time a user try to visit the site using HTTP, an attacker could force the user to use HTTP. However, the attacker has a limited time window of when it can perform its attack.

    What you should do?

    Like many websites, you should allow HTTP connections and make you server redirects the user to the HTTPS version. This way you override the default behavior of browsers and ensure your users use the HTTPS version.

    Old systems without the proper protocols or root certificates will not be able to access the site (or at least will have a warning), but depending on your user base this should not be an issue.

    Conclusion

    It will do more harm than good to disable HTTP. It does not really provide more security.

    Any security added to protect a resource is useless if it prevents most of its users from accessing it. If your end-users cannot access your website because their browser default to HTTP and you do not listen for HTTP connections, what is the benefit?

    Just perform the HTTP 301 redirection to the HTTPS version.

    Related questions

    I was referring to the bold "With HSTS" bullet, where the wording suggests that there's less security if the server serves a redirect from HTTP to HTTPS.

    @BenVoigt Oh ok I see. I removed the "If you serve HTTP" to avoid a misunderstanding. Thanks

    In addition, some users might not be able to access `https` sites. For instance, China has previously been blocking all https traffic to Wikimedia projects.

    Just a correction for the choice of word: The user does not enter a "URL", but a "web address". (There is no such thing as a default scheme/protocol.)

    @OskarSkog I changed to "website address", thanks.

    Note that for "With HSTS", preloaded HSTS actually will protect even first-time visitors to your site from MITM attacks.

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM

Tags used