On Jan 16, 2015 8:34 PM, "Paul Libbrecht" <paul@hoplahup.net> wrote: > > One thing that this practice, of providers transparently proxying http traffic, bothers is when people try to use both http and https. That's a bad idea. To have a secure site, http should only redirect to https and https should enable HSTS and the secure flag for cookies. > On a website I develop for, users submit their login using https, but otherwise http is used. In this case, the attacker can capture the session cookie instead of the password, which makes this setup a bad idea. Since you have obtained a cert and configured https, why not go 100% https? > Login fails on these networks, because the cookie is attached to the IP. > I am not sure we are alone doing this kind of ping-pong, are we? Using https for password submission and letting the cookie to travel over an channel that allows trivial intercept is a common anti-pattern, yes, unfortunately.
Received on Saturday, 17 January 2015 09:40:54 UTC