A link redirect to http instead of https: how critical is it?How secure is HTTP / HTTPS over 3G?Javascript http to https redirect - how vulnerable/how secure?Actually, isn't it bad to redirect http to https?Why do browsers default to http: and not https: for typed in URLs?OAuth 2.0 client side redirect instead of HTTP redirectIs an HTTP 301 redirect to HTTPS, insecure?Bypassing HTTP to HTTPS cached 301 redirect to use SSLstripDoes HTTP redirect to HTTPS automatically?Does hosting an http->https redirect let http basic auth leak?Is it ok to send plain text credentials in a XHR GET request?

How to change two letters closest to a string and one letter immediately after a string using notepad++

How difficult is it to simply disable/disengage the MCAS on Boeing 737 Max 8 & 9 Aircraft?

Define, (actually define) the "stability" and "energy" of a compound

Science-fiction short story where space navy wanted hospital ships and settlers had guns mounted everywhere

What does さっさ mean?

How could a scammer know the apps on my phone / iTunes account?

AG Cluster db upgrade by vendor

Stiffness of a cantilever beam

A link redirect to http instead of https: how critical is it?

Can I use USB data pins as power source

What is the significance behind "40 days" that often appears in the Bible?

Are ETF trackers fundamentally better than individual stocks?

Do I need life insurance if I can cover my own funeral costs?

Is it possible to upcast ritual spells?

Is a party consisting of only a bard, a cleric, and a warlock functional long-term?

Could the Saturn V actually have launched astronauts around Venus?

Does Mathematica reuse previous computations?

Is having access to past exams cheating and, if yes, could it be proven just by a good grade?

Why did it take so long to abandon sail after steamships were demonstrated?

Gravity magic - How does it work?

Official degrees of earth’s rotation per day

Professor being mistaken for a grad student

Is it normal that my co-workers at a fitness company criticize my food choices?

It's a yearly task, alright



A link redirect to http instead of https: how critical is it?


How secure is HTTP / HTTPS over 3G?Javascript http to https redirect - how vulnerable/how secure?Actually, isn't it bad to redirect http to https?Why do browsers default to http: and not https: for typed in URLs?OAuth 2.0 client side redirect instead of HTTP redirectIs an HTTP 301 redirect to HTTPS, insecure?Bypassing HTTP to HTTPS cached 301 redirect to use SSLstripDoes HTTP redirect to HTTPS automatically?Does hosting an http->https redirect let http basic auth leak?Is it ok to send plain text credentials in a XHR GET request?













3















I just join a project, and while browsing the code, I realize that some links redirect to another web page, in HTTP instead of HTTPS.



The linked website has an https version, and there was no reason to not use it so I fix the issue.



However, the first website is on production, so we should avoid rebuilding the whole server for minor correction but rather wait to regroup several minor fixes.



I'm just wondering if this is a minor fix, or if leading users to an HTTP website is a major problem.



The linked website is a showcase website belonging to the company I work for, and there is no interaction such as logging into an account, so I guess while man in the middle attack is still possible, there is no sensible content/data to steal. Besides that, the link is in the footer of the first website, and the website itself doesn't have major traffic, so the number of people clicking it shouldn't be that high



How critical is it? Can such issue wait several days, or should it be fixed as soon as possible?










share|improve this question






















  • I don't think this is answerable in the general case, but in your specific case it doesn't seem remotely important. Between the low user volume and the lack of sensitive data, a MITM attack hardly seems likely or useful. I can't see any reason to rush a fix out, outside of whatever regular deployment cadence the company uses.

    – meagar
    4 hours ago












  • Incidentally, I think the more useful fix is to have the destination website stop allowing HTTP connections. It should redirect HTTP connections to HTTPS.

    – meagar
    4 hours ago











  • @meagar Not allowing HTTP connections is generally a usability concern, and it doesn't actually do anything to prevent MitM anyway (at least for active MitM).

    – AndrolGenhald
    1 hour ago











  • @AndrolGenhald What is the usability concern? The majority of the Internet is moving in this direction.

    – meagar
    1 hour ago











  • @meagar Most people still type google.com rather than https://google.com. Redirecting from HTTP to HTTPS is going to be the recommended behavior for a good while yet (reading your comment again I see you actually mention redirecting, but redirecting and disabling HTTP are two very different things, you have to establish an HTTP connection before the redirection is possible).

    – AndrolGenhald
    1 hour ago
















3















I just join a project, and while browsing the code, I realize that some links redirect to another web page, in HTTP instead of HTTPS.



The linked website has an https version, and there was no reason to not use it so I fix the issue.



However, the first website is on production, so we should avoid rebuilding the whole server for minor correction but rather wait to regroup several minor fixes.



I'm just wondering if this is a minor fix, or if leading users to an HTTP website is a major problem.



The linked website is a showcase website belonging to the company I work for, and there is no interaction such as logging into an account, so I guess while man in the middle attack is still possible, there is no sensible content/data to steal. Besides that, the link is in the footer of the first website, and the website itself doesn't have major traffic, so the number of people clicking it shouldn't be that high



How critical is it? Can such issue wait several days, or should it be fixed as soon as possible?










share|improve this question






















  • I don't think this is answerable in the general case, but in your specific case it doesn't seem remotely important. Between the low user volume and the lack of sensitive data, a MITM attack hardly seems likely or useful. I can't see any reason to rush a fix out, outside of whatever regular deployment cadence the company uses.

    – meagar
    4 hours ago












  • Incidentally, I think the more useful fix is to have the destination website stop allowing HTTP connections. It should redirect HTTP connections to HTTPS.

    – meagar
    4 hours ago











  • @meagar Not allowing HTTP connections is generally a usability concern, and it doesn't actually do anything to prevent MitM anyway (at least for active MitM).

    – AndrolGenhald
    1 hour ago











  • @AndrolGenhald What is the usability concern? The majority of the Internet is moving in this direction.

    – meagar
    1 hour ago











  • @meagar Most people still type google.com rather than https://google.com. Redirecting from HTTP to HTTPS is going to be the recommended behavior for a good while yet (reading your comment again I see you actually mention redirecting, but redirecting and disabling HTTP are two very different things, you have to establish an HTTP connection before the redirection is possible).

    – AndrolGenhald
    1 hour ago














3












3








3








I just join a project, and while browsing the code, I realize that some links redirect to another web page, in HTTP instead of HTTPS.



The linked website has an https version, and there was no reason to not use it so I fix the issue.



However, the first website is on production, so we should avoid rebuilding the whole server for minor correction but rather wait to regroup several minor fixes.



I'm just wondering if this is a minor fix, or if leading users to an HTTP website is a major problem.



The linked website is a showcase website belonging to the company I work for, and there is no interaction such as logging into an account, so I guess while man in the middle attack is still possible, there is no sensible content/data to steal. Besides that, the link is in the footer of the first website, and the website itself doesn't have major traffic, so the number of people clicking it shouldn't be that high



How critical is it? Can such issue wait several days, or should it be fixed as soon as possible?










share|improve this question














I just join a project, and while browsing the code, I realize that some links redirect to another web page, in HTTP instead of HTTPS.



The linked website has an https version, and there was no reason to not use it so I fix the issue.



However, the first website is on production, so we should avoid rebuilding the whole server for minor correction but rather wait to regroup several minor fixes.



I'm just wondering if this is a minor fix, or if leading users to an HTTP website is a major problem.



The linked website is a showcase website belonging to the company I work for, and there is no interaction such as logging into an account, so I guess while man in the middle attack is still possible, there is no sensible content/data to steal. Besides that, the link is in the footer of the first website, and the website itself doesn't have major traffic, so the number of people clicking it shouldn't be that high



How critical is it? Can such issue wait several days, or should it be fixed as soon as possible?







tls http






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked 4 hours ago









KepotxKepotx

5071312




5071312












  • I don't think this is answerable in the general case, but in your specific case it doesn't seem remotely important. Between the low user volume and the lack of sensitive data, a MITM attack hardly seems likely or useful. I can't see any reason to rush a fix out, outside of whatever regular deployment cadence the company uses.

    – meagar
    4 hours ago












  • Incidentally, I think the more useful fix is to have the destination website stop allowing HTTP connections. It should redirect HTTP connections to HTTPS.

    – meagar
    4 hours ago











  • @meagar Not allowing HTTP connections is generally a usability concern, and it doesn't actually do anything to prevent MitM anyway (at least for active MitM).

    – AndrolGenhald
    1 hour ago











  • @AndrolGenhald What is the usability concern? The majority of the Internet is moving in this direction.

    – meagar
    1 hour ago











  • @meagar Most people still type google.com rather than https://google.com. Redirecting from HTTP to HTTPS is going to be the recommended behavior for a good while yet (reading your comment again I see you actually mention redirecting, but redirecting and disabling HTTP are two very different things, you have to establish an HTTP connection before the redirection is possible).

    – AndrolGenhald
    1 hour ago


















  • I don't think this is answerable in the general case, but in your specific case it doesn't seem remotely important. Between the low user volume and the lack of sensitive data, a MITM attack hardly seems likely or useful. I can't see any reason to rush a fix out, outside of whatever regular deployment cadence the company uses.

    – meagar
    4 hours ago












  • Incidentally, I think the more useful fix is to have the destination website stop allowing HTTP connections. It should redirect HTTP connections to HTTPS.

    – meagar
    4 hours ago











  • @meagar Not allowing HTTP connections is generally a usability concern, and it doesn't actually do anything to prevent MitM anyway (at least for active MitM).

    – AndrolGenhald
    1 hour ago











  • @AndrolGenhald What is the usability concern? The majority of the Internet is moving in this direction.

    – meagar
    1 hour ago











  • @meagar Most people still type google.com rather than https://google.com. Redirecting from HTTP to HTTPS is going to be the recommended behavior for a good while yet (reading your comment again I see you actually mention redirecting, but redirecting and disabling HTTP are two very different things, you have to establish an HTTP connection before the redirection is possible).

    – AndrolGenhald
    1 hour ago

















I don't think this is answerable in the general case, but in your specific case it doesn't seem remotely important. Between the low user volume and the lack of sensitive data, a MITM attack hardly seems likely or useful. I can't see any reason to rush a fix out, outside of whatever regular deployment cadence the company uses.

– meagar
4 hours ago






I don't think this is answerable in the general case, but in your specific case it doesn't seem remotely important. Between the low user volume and the lack of sensitive data, a MITM attack hardly seems likely or useful. I can't see any reason to rush a fix out, outside of whatever regular deployment cadence the company uses.

– meagar
4 hours ago














Incidentally, I think the more useful fix is to have the destination website stop allowing HTTP connections. It should redirect HTTP connections to HTTPS.

– meagar
4 hours ago





Incidentally, I think the more useful fix is to have the destination website stop allowing HTTP connections. It should redirect HTTP connections to HTTPS.

– meagar
4 hours ago













@meagar Not allowing HTTP connections is generally a usability concern, and it doesn't actually do anything to prevent MitM anyway (at least for active MitM).

– AndrolGenhald
1 hour ago





@meagar Not allowing HTTP connections is generally a usability concern, and it doesn't actually do anything to prevent MitM anyway (at least for active MitM).

– AndrolGenhald
1 hour ago













@AndrolGenhald What is the usability concern? The majority of the Internet is moving in this direction.

– meagar
1 hour ago





@AndrolGenhald What is the usability concern? The majority of the Internet is moving in this direction.

– meagar
1 hour ago













@meagar Most people still type google.com rather than https://google.com. Redirecting from HTTP to HTTPS is going to be the recommended behavior for a good while yet (reading your comment again I see you actually mention redirecting, but redirecting and disabling HTTP are two very different things, you have to establish an HTTP connection before the redirection is possible).

– AndrolGenhald
1 hour ago






@meagar Most people still type google.com rather than https://google.com. Redirecting from HTTP to HTTPS is going to be the recommended behavior for a good while yet (reading your comment again I see you actually mention redirecting, but redirecting and disabling HTTP are two very different things, you have to establish an HTTP connection before the redirection is possible).

– AndrolGenhald
1 hour ago











2 Answers
2






active

oldest

votes


















2














If your website is purely static and doesn't contain any login or sensitive data, then the risk on a technical level is likely low, and may not warrant an out of cycle fix.



On the other hand there's a risk to reputation. If your business relies on a reputation of being "secure" then it may look bad to potential customers/clients that you aren't following best practices (https everywhere).






share|improve this answer






























    2














    In general, the risk is low, as other answers here indicate. However, there is a scenario where risk is introduced:



    • You have session tokens being passed as cookie data

    • The cookies are scoped in such a way that the other (non-https) site has access to them

    • The cookies do not have the secure flag set

    In the case that all of those are present, the session tokens may be intercepted via man-in-the-middle (MiTM) attack; since the browser will send them to the other site automatically, and they will be sent in plain text rather than over the encrypted HTTPS stream.



    That's a fairly specific set of criteria, and MiTM attack is semi-tough to pull off, so how much real risk this presents should be decided based on 1) whether your site has all 3 of those criteria present, and 2) how sensitive the information in your application is.






    share|improve this answer








    New contributor




    Jason Ross is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.



















      Your Answer








      StackExchange.ready(function()
      var channelOptions =
      tags: "".split(" "),
      id: "162"
      ;
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function()
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled)
      StackExchange.using("snippets", function()
      createEditor();
      );

      else
      createEditor();

      );

      function createEditor()
      StackExchange.prepareEditor(
      heartbeatType: 'answer',
      autoActivateHeartbeat: false,
      convertImagesToLinks: false,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: null,
      bindNavPrevention: true,
      postfix: "",
      imageUploader:
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      ,
      noCode: true, onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      );



      );













      draft saved

      draft discarded


















      StackExchange.ready(
      function ()
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f205446%2fa-link-redirect-to-http-instead-of-https-how-critical-is-it%23new-answer', 'question_page');

      );

      Post as a guest















      Required, but never shown

























      2 Answers
      2






      active

      oldest

      votes








      2 Answers
      2






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes









      2














      If your website is purely static and doesn't contain any login or sensitive data, then the risk on a technical level is likely low, and may not warrant an out of cycle fix.



      On the other hand there's a risk to reputation. If your business relies on a reputation of being "secure" then it may look bad to potential customers/clients that you aren't following best practices (https everywhere).






      share|improve this answer



























        2














        If your website is purely static and doesn't contain any login or sensitive data, then the risk on a technical level is likely low, and may not warrant an out of cycle fix.



        On the other hand there's a risk to reputation. If your business relies on a reputation of being "secure" then it may look bad to potential customers/clients that you aren't following best practices (https everywhere).






        share|improve this answer

























          2












          2








          2







          If your website is purely static and doesn't contain any login or sensitive data, then the risk on a technical level is likely low, and may not warrant an out of cycle fix.



          On the other hand there's a risk to reputation. If your business relies on a reputation of being "secure" then it may look bad to potential customers/clients that you aren't following best practices (https everywhere).






          share|improve this answer













          If your website is purely static and doesn't contain any login or sensitive data, then the risk on a technical level is likely low, and may not warrant an out of cycle fix.



          On the other hand there's a risk to reputation. If your business relies on a reputation of being "secure" then it may look bad to potential customers/clients that you aren't following best practices (https everywhere).







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered 2 hours ago









          DaisetsuDaisetsu

          4,12711021




          4,12711021























              2














              In general, the risk is low, as other answers here indicate. However, there is a scenario where risk is introduced:



              • You have session tokens being passed as cookie data

              • The cookies are scoped in such a way that the other (non-https) site has access to them

              • The cookies do not have the secure flag set

              In the case that all of those are present, the session tokens may be intercepted via man-in-the-middle (MiTM) attack; since the browser will send them to the other site automatically, and they will be sent in plain text rather than over the encrypted HTTPS stream.



              That's a fairly specific set of criteria, and MiTM attack is semi-tough to pull off, so how much real risk this presents should be decided based on 1) whether your site has all 3 of those criteria present, and 2) how sensitive the information in your application is.






              share|improve this answer








              New contributor




              Jason Ross is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
              Check out our Code of Conduct.
























                2














                In general, the risk is low, as other answers here indicate. However, there is a scenario where risk is introduced:



                • You have session tokens being passed as cookie data

                • The cookies are scoped in such a way that the other (non-https) site has access to them

                • The cookies do not have the secure flag set

                In the case that all of those are present, the session tokens may be intercepted via man-in-the-middle (MiTM) attack; since the browser will send them to the other site automatically, and they will be sent in plain text rather than over the encrypted HTTPS stream.



                That's a fairly specific set of criteria, and MiTM attack is semi-tough to pull off, so how much real risk this presents should be decided based on 1) whether your site has all 3 of those criteria present, and 2) how sensitive the information in your application is.






                share|improve this answer








                New contributor




                Jason Ross is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                Check out our Code of Conduct.






















                  2












                  2








                  2







                  In general, the risk is low, as other answers here indicate. However, there is a scenario where risk is introduced:



                  • You have session tokens being passed as cookie data

                  • The cookies are scoped in such a way that the other (non-https) site has access to them

                  • The cookies do not have the secure flag set

                  In the case that all of those are present, the session tokens may be intercepted via man-in-the-middle (MiTM) attack; since the browser will send them to the other site automatically, and they will be sent in plain text rather than over the encrypted HTTPS stream.



                  That's a fairly specific set of criteria, and MiTM attack is semi-tough to pull off, so how much real risk this presents should be decided based on 1) whether your site has all 3 of those criteria present, and 2) how sensitive the information in your application is.






                  share|improve this answer








                  New contributor




                  Jason Ross is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                  Check out our Code of Conduct.










                  In general, the risk is low, as other answers here indicate. However, there is a scenario where risk is introduced:



                  • You have session tokens being passed as cookie data

                  • The cookies are scoped in such a way that the other (non-https) site has access to them

                  • The cookies do not have the secure flag set

                  In the case that all of those are present, the session tokens may be intercepted via man-in-the-middle (MiTM) attack; since the browser will send them to the other site automatically, and they will be sent in plain text rather than over the encrypted HTTPS stream.



                  That's a fairly specific set of criteria, and MiTM attack is semi-tough to pull off, so how much real risk this presents should be decided based on 1) whether your site has all 3 of those criteria present, and 2) how sensitive the information in your application is.







                  share|improve this answer








                  New contributor




                  Jason Ross is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                  Check out our Code of Conduct.









                  share|improve this answer



                  share|improve this answer






                  New contributor




                  Jason Ross is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                  Check out our Code of Conduct.









                  answered 2 hours ago









                  Jason RossJason Ross

                  213




                  213




                  New contributor




                  Jason Ross is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                  Check out our Code of Conduct.





                  New contributor





                  Jason Ross is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                  Check out our Code of Conduct.






                  Jason Ross is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                  Check out our Code of Conduct.



























                      draft saved

                      draft discarded
















































                      Thanks for contributing an answer to Information Security Stack Exchange!


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid


                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.

                      To learn more, see our tips on writing great answers.




                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function ()
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f205446%2fa-link-redirect-to-http-instead-of-https-how-critical-is-it%23new-answer', 'question_page');

                      );

                      Post as a guest















                      Required, but never shown





















































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown

































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown







                      Popular posts from this blog

                      Era Viking Índice Início da Era Viquingue | Cotidiano | Sociedade | Língua | Religião | A arte | As primeiras cidades | As viagens dos viquingues | Viquingues do Oeste e Leste | Fim da Era Viquingue | Fontes históricas | Referências Bibliografia | Ligações externas | Menu de navegação«Sverige då!»«Handel I vikingetid»«O que é Nórdico Antigo»Mito, magia e religião na volsunga saga Um olhar sobre a trajetória mítica do herói sigurd«Bonden var den verklige vikingen»«Vikingatiden»«Vikingatiden»«Vinland»«Guerreiras de Óðinn: As Valkyrjor na Mitologia Viking»1519-9053«Esculpindo símbolos e seres: A arte viking em pedras rúnicas»1679-9313Historia - Tema: VikingarnaAventura e Magia no Mundo das Sagas IslandesasEra Vikinge

                      Which organization defines CJK Unified Ideographs? The Next CEO of Stack OverflowCharacters which have several different shapesHow useful are the kanji in reading Chinese?Can Chinese readers scan large amounts of text faster/more accurately than their alphabet-using counterparts?丼: why is “well” also “bowl of food”?What Does Unicode 8.0 Mean For Chinese?How are blanks indicated for placeholders in Chinese (like ???)Is there a dictionary of standard character variants?How to display CJK Extension F?How is it decided as to which character is used on the tech terminology?How does 子 come to mean 'midnight'?

                      Metrô de Los Teques Índice Linhas | Estações | Ver também | Referências Ligações externas | Menu de navegação«INSTITUCIÓN»«Mapa de rutas»originalMetrô de Los TequesC.A. Metro Los Teques |Alcaldía de Guaicaipuro – Sitio OficialGobernacion de Mirandaeeeeeee