Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HTTPS redirect test does not fail when redirecting from HTTPS to HTTP on other domain #1521

Open
WKobes opened this issue Oct 9, 2024 · 3 comments
Open

HTTPS redirect test does not fail when redirecting from HTTPS to HTTP on other domain #1521

WKobes opened this issue Oct 9, 2024 · 3 comments

Comments

@WKobes
Copy link
Contributor

WKobes commented Oct 9, 2024

The HTTPS redirect test explanation gives two examples for valid redirection:

However, this test succeeds (on both apex and www subdomain) also when having a redirect scheme as follows:

This test should fail on the apex domain (www. domain is fine in this case), since it is downgrading from https to http.

The example is redirection to a www subdomain, but of course it should fail in any downgrade redirection, eg:
@WKobes
Copy link
Contributor Author

WKobes commented Oct 9, 2024

This behaviour was added per #555

This is partly intended when reading the test explanation:

Note that this subtest only tests if the given domain correctly redirects from HTTP to HTTPS. An eventual further redirect to a different domain (including a subdomain of the tested domain) is not tested. You could start a separate test to test such a domain that is being redirected to.

However, in the case of http > https > http > https both tests will in fact succeed and thus this redirection scheme will not be noticed by using internet.nl. Yet, this redirection scheme is less secure than http > https > https.

I would propose we actually do look at the (one) further redirect, but limit ourselves to whether the redirect is done towards https as well. Everything else should be tested in the test of the destination domain itself (+1 for issue #270)

@bwbroersma
Copy link
Collaborator

The reasoning in the http->https same domain upgrade is HSTS. So actually your example:

http://example.nl/https://example.nl/http://www.example.nl/https://www.example.nl/

Is not a problem in terms setting the HSTS, since this is only done on HTTPS connections and should happen for all subdomains. Of course it is better to not have this hop, since it could be used for MITM and because of performance reasons.

However if you would create a table:

Redirects when visiting apex no HSTS cache only HSTS cache www only HSTS cache apex* both in HSTS cache
http apex=>https apex=>http www=>https www 🕵️ 🕵️ 🕵️ 🕵️
http apex=>https apex=>https www 🕵️ 🕵️

🕵️ = MITM opportunity with stripssl
✅ = no MITM option
* = this case is very unlikely, because of the redirects

So in effective security there is probably a near-to-zero difference.

@bwbroersma
Copy link
Collaborator

bwbroersma commented Oct 14, 2024
edited
Loading

After an offline discussion I agree with @WKobes Internet.nl could look at the outgoing redirect schema of the (last) same-domain headers. Although it won't effectively do something, it is a bad practice to redirect to insecure schemas.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bwbroersma @WKobes