Implement HTTP handling for TlsServer
#984
Conversation
|
Hi, |
|
My thinking was that maybe somebody is interested in this feature without the automatic upgrade. So is this standalone feature (without upgrading) undesired? |
|
I'm thinking about the downside of allowing this without the "upgrade" is that using HTTP that doesn't immediately redirect to HTTPS is problematic. At my place of work, it's considered a vulnerability. If anything, it should be opt-out of upgrading, not opt in, since it makes your program significantly more insecure. |
|
Yeah, that sounds reasonable to me. I don't think I will even implement the opt-out, because personally I don't have a use-case, so we can do it when somebody requests it. Will look into implementing the automatic upgrade soon. |
ah good question, but What would be the use case for that?
interesting, yeah I was also wondering about that, do you have more info on the possible attack vector? Update: saw @daxpedda response, ok great! 馃憤 |
I don't know, I was only doing it to make the implementation easier, I can't even come up with a use-case.
I'm assuming if you set up a HTTPS server you don't actually want anybody connecting over HTTP. So if one forgets to setup the automatic upgrade, a user could potentially use the website completely over HTTP instead of over HTTPS. An attacker could use this by just sending you the HTTP link, even if you check the domain, you might not notice the scheme. |
This allows hosting a HTTP and HTTPS server on the same port. The main use-case is upgrading a connection to HTTPS automatically when connecting to e.g. "localhost:3030", as browsers connect via HTTP unless explicitly specified.
I implemented this in a way to be optional while not disturbing the default path.
This is a first step towards #417. I learned a lot since then 馃槄.