On Jan 16, 2015 8:34 PM, "Paul Libbrecht" <paul@hoplahup.net> wrote:
>
> One thing that this practice, of providers transparently proxying http
traffic, bothers is when people try to use both http and https.
That's a bad idea. To have a secure site, http should only redirect to
https and https should enable HSTS and the secure flag for cookies.
> On a website I develop for, users submit their login using https, but
otherwise http is used.
In this case, the attacker can capture the session cookie instead of the
password, which makes this setup a bad idea.
Since you have obtained a cert and configured https, why not go 100% https?
> Login fails on these networks, because the cookie is attached to the IP.
> I am not sure we are alone doing this kind of ping-pong, are we?
Using https for password submission and letting the cookie to travel over
an channel that allows trivial intercept is a common anti-pattern, yes,
unfortunately.