[Ach] Redirect from HTTP to HTTPS and the big bad Host header - Github Pull #100

Hanno Böck hanno at hboeck.de
Thu Apr 2 22:53:41 CEST 2015

On Thu, 02 Apr 2015 22:43:14 +0200
Christian Mehlmauer <bettercrypto at firefart.at> wrote:

> Currently the redirect from HTTP to HTTPS is done via this line
> (nginx):
> return 301 https://$host$request_uri;
> The problem: $host is a user controlled variable, the HOST header.

I'm not sure I'm getting the issue here.
The redirect from http is unencrypted, thus you have to expect that
this is not secure. The whole redirect is not only user-controlled,
it's essentially attacker-controlled for MitM-attacker scenarios. This
is the well known ssl stripping issue and the reason people should use

There's nothing to secure here, because it is insecure by design. If
you're worried use HSTS. If you're worried even more let your domain be
preloaded into the browsers (just did that with mine).

Hanno Böck

mail/jabber: hanno at hboeck.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20150402/81ba5f40/attachment.sig>

More information about the Ach mailing list