[Owasp-leaders] HTTP to HTTPS redirects

Michael Coates michael.coates at owasp.org
Sun Oct 23 20:19:21 EDT 2011

Sure thing.

The basic reasoning is as follows
- All items on the TLS cheat sheet, except for the redirect rule, are items that provide a direct increase to user security
- The TLS cheat sheet is gaining traction and finding its way into standards and recommendation guidelines
- The redirect rule, while a valid piece of information, does not actually increase user security. It simply provides security education to the user that could help the user in future situations. (and that security education would be delivered over the untrusted HTTP too)
- The redirect rule has a very high user experience cost (e.g. prompting a user with a warning message and completely interrupting the flow to the application)

In the end, the redirect rule is not a realistic change that would be implemented by many (any?) companies due to its high user experience cost and non-existent security enhancements (aside from the attempt at user education).  So, since the rest of the TLS cheat sheet iteams are all high value recommendations that can, and should, be implemented by an application to achieve a direct security gain for users, it was decided to remove the redirect rule.  

The redirect rule data is still listed in the cheat sheet. One, to provide historical reference for those wondering "What happened to this rule" and, two, to continue raising awareness about this potential attack point in a TLS connection.

Final Note: HTTP Strict Transport Security will eliminate this weakness after a user successfully visits a HSTS enabled domain over HTTPS. I encourage people to read about HSTS and keep their eyes out for a soon to be released video on the topic.

Michael Coates

On Oct 23, 2011, at 7:07 AM, Jim Manico wrote:

> Michael,
> Troy Hunt and others noticed that you removed the recommendation to
> avoid HTTP to HTTPS redirects, a long standing AppSec recommendation.
> https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet#Rule_-_REMOVED_-_Do_Not_Perform_Redirects_from_Non-TLS_Page_to_TLS_Login_Page
> As a chance to geek-out on leaders, may I/we ask why in a bit more depth?
> I'm on the edge about this myself, but I think I understand your reasoning...
> --
> Jim Manico
> (808) 652-3805
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

More information about the OWASP-Leaders mailing list