问题
I have an http-https redirect configuration set up in NGINX:
server {
listen 80;
server_name localhost;
return 301 https://$server_name$request_uri;
}
My question is: Is there at any point, from the user initially accessing the login page of my application to POSTing his username+password, a time when the credentials are going clear over HTTP before being redirected to HTTPS?
回答1:
It depends on your login form somewhat (it should always post to the https url only), but based on this info, I think no, the password always goes over https when used as intended.
However, you might want to note a few things and add more protection (defense in depth), because the whole point in attacks is to make things not go as intended. :)
SSL Stripping
An attacker might be able to degrade the connection to http from the user's perspective while the attacker himself maintains a secure connection with the server. Note that this would work even if the server does not even respond on plain http. See this video or this link (among many others). The solution is HSTS (see below).
Attacker injecting plain http request
If the attacker can inject a plain http request in any way into the client browser that sends the credentials over plain http, those credentials will not be protected. This applies to username/password being posted, but also to the session cookie, which is equivalent to user credentials for the duration of the session. So this means if the attacker can for example insert an image with src="http://yoursite.com", the session cookie will be sent plaintext. The response will be a redirect as per your nginx settings, but that's too late. Always setting your session cookie as secure solves this problem (but not the other one about posting the credentials, which can be mitigated by HSTS).
HSTS
Your website should have a Strict-Transport-Security response header, so that once a browser had a chance to talk to the server without a man-in-the-middle attacker removing the header, it will remember to use https even if the user does not explicitly specify it in the url bar.
Strict-Transport-Security: max-age=31536000; includeSubDomains
More info on HSTS is here.
来源:https://stackoverflow.com/questions/40957699/does-http-redirect-to-https-risk-capture-of-password