Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Should all web site login pages use https? From time to time I notice some sites use http on their login page -- surely that's a major security risk or am I wrong?
I flatly recommend that, today, all web pages should be secured. (Just look at what WikiPedia has done.)
This avoids the mixing of secure and insecure content, or the use of information obtained through a secured area in an insecure area. Many web browsers today detect, and loudly complain about, any such mixture and will not allow things (like AJAX calls) to take place.
The site content should be "https," and the insecure <VirtualHost> should simply redirect-permanent to the secure one.
http links are certainly acceptable, but if they direct to logon pages that direct should be secured.
For example linuxquestions.org uses only http -- is this what you mean by 'http links are certainly acceptable'? I am confused - how is only http secure?
For example linuxquestions.org uses only http -- is this what you mean by 'http links are certainly acceptable'? I am confused - how is only http secure?
You misunderstand me. Perhaps I was not clear. HTTP links are not secure. That is fine for static pages with public content, but anything that require a logon should use a HTTPS link. It is easy, if you are running your own web site, to use HTTP pages that do NOT display, but only forward you to the HTTPS page.
HTTPS uses encryption and is more secure. How secure depends upon which encryption standards are supported on that server, which is something you (as the page provider) can set in the server settings. Exact settings method depends upon what software you are using to provide web services.
Bottom line, when in doubt use encryption. Always.
You misunderstand me. Perhaps I was not clear. HTTP links are not secure. That is fine for static pages with public content, but anything that require a logon should use a HTTPS link. It is easy, if you are running your own web site, to use HTTP pages that do NOT display, but only forward you to the HTTPS page.
HTTPS uses encryption and is more secure. How secure depends upon which encryption standards are supported on that server, which is something you (as the page provider) can set in the server settings. Exact settings method depends upon what software you are using to provide web services.
Bottom line, when in doubt use encryption. Always.
Only in the cases where logins don't particularly need to be secure is HTTP acceptable, use cases maybe beta/test pages using basic http auth with ip filtering or a downloads page for various files for friends/family. Anything taking anybody's actual password should be considered secure however and thus back to HSTS, I'd mix this in with a backend using randomized salt hashing with an individual salt per user.
Last edited by r3sistance; 05-11-2017 at 06:45 AM.
I think that all internet shouldnt be in https, i had problems with that protocol and i know, is more secure and all, but for certain circumstances (i needed in the past to install SSH to access https in a barebones system, and SURPRISE, download of binaries was in https, the program download was in https, etc.)
is better to dont use this protocol
surely that's a little exaggerated?
if it is public, static content, why not http?
also, your own blog (and mine) doesn't seem to support https.
right now i'd rather use http than use letsencrypt (*), or have my visitors see a browser security warning.
(*) a while back i looked at letsencrypt closer, and using it effectively means signing a contract with a USA company. the country with the worst known privacy/security legislature. no, sir.
if there are alternatives to letsencrypt (free or almost free, browser trusted SSL), please let me know.
surely that's a little exaggerated?
if it is public, static content, why not http?
also, your own blog (and mine) doesn't seem to support https.
right now i'd rather use http than use letsencrypt (*), or have my visitors see a browser security warning.
(*) a while back i looked at letsencrypt closer, and using it effectively means signing a contract with a USA company. the country with the worst known privacy/security legislature. no, sir.
if there are alternatives to letsencrypt (free or almost free, browser trusted SSL), please let me know.
Because hosting http content can be used for degrade attacks where you can turn HTTPS connections into HTTP connections, if you have anything secure you must use HSTS for the reasons that HSTS exists, when using HSTS then everything HAS to be HTTPS.
The original question was do LOGON screens need to be HTTPS, and I think we can all agree that the answer to that is an unqualified "Yes".
I am not sure we agree about pages not protected by logon, or where access does not depend upon identity. If I put up static information screens, or screen containing read-only data generated in the back end, I am not going to require that they be presented as https. I cannot imagine why one WOULD require that, but if you want to that is fine with me.
The original question was do LOGON screens need to be HTTPS, and I think we can all agree that the answer to that is an unqualified "Yes".
I am not sure we agree about pages not protected by logon, or where access does not depend upon identity. If I put up static information screens, or screen containing read-only data generated in the back end, I am not going to require that they be presented as https. I cannot imagine why one WOULD require that, but if you want to that is fine with me.
Since people still don't seem to be getting the importance of HSTS
The most important security vulnerability that HSTS can fix is SSL-stripping man-in-the-middle attacks, first publicly introduced by Moxie Marlinspike in his 2009 BlackHat Federal talk "New Tricks For Defeating SSL In Practice".[17][18] The SSL stripping attack works (on TLS as well) by transparently converting a secure HTTPS connection into a plain HTTP connection.
Once you use HSTS, everything has to be HTTPS, HTTP will no longer work as the client browser will see it as invalid and potentially malicious.
Once you use HSTS, everything has to be HTTPS, HTTP will no longer work as the client browser will see it as invalid and potentially malicious.
And yet, quite clearly, where a man in the middle attack is not useful for the middle, pointless in fact, there is no point in protecting against it. That is the case where I recommend HTTP over HTTPS.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.