Is there a safe way to upgrade users to https?

Update: Ryan's Responded with Whats your organizations policy on SSL? which covers these items in detail.

This morning GlobalSign CTO Ryan Hurst put up a simple post: "Rewriting HTTP URLS to HTTPs URLs in Apache"

It's the advice I hear all the time from security-minded developers, but I think its wrong, and its wrong because of a flaw in the way the web works. That said, I've used the technique from time to time, and it works, a bit.

So what does it do. If you ask for http://www.example.org you get http, a 302 redirect and a reference to the https version of the url. Your client then begins a HTTPS request. Sounds good right? Sorta.

The initial request is sent over http and the client is not expecting a SSL result. They're not checking for a cert, or a lock icon because they didnt ask for a secure connection. The developer thinks its secure because he sees his users interacting over SSL, but theres a problem. That initial redirect is the weak link.

Lets talk the typical Mallory between Alice and Bob problem. Bob wants to talk to Alice. Bob sends Alice a message and waits for a reply. Alice not wanting to talk insecurely tells Bob to go to a secure site at a specific url. Bob dutiffully follows the advice and goes to the secure site. The only problem is that Bob cant tell the difference between Alice and Mallory at this referral stage. Did Alice really tell Bob to go to the secure site, or did Mallory? In this case Mallory can redirect Bob to an insecure site of Mallory's chosing. Its up to Bob to check that the referred site's identity validates and is secure, but Bob as you'll recall wasnt expecting secure messaging, and is used to Alice telling him to goto the secure site when she wants to talk securely, so isnt being paranoid about the authenticity of the referral. Bob has done this 100 times without issue. But on time 101, Mallory hijacks the referal, and now Bob is talking to Mallory who is relaying messages to Alice and pretending to be Bob talking securely to Alice. The protection SSL was supposed to bring never happened and no one was the wiser. Alice sees a secure connection to who she thinks is Bob and Bob sees no security to Alice as he expected. Everyone is happy, but Mallory is listening in.

Moxie Marlinspike demonstrated this attack with a talk and tool called SSLStrip. Yes, thats right, its now off the shelf software.

So is it safe to upgrade users this way? Is there any value in the activity? Not really. In one sense, it changes the threat model from passive listening to active attacking, and so offers -some- security, but it also has a downside, it trains the users not to ask for the https page. The sum of the security change, about zero.

So what can make it better? HSTS. Http Strict Transport Security. This technology works such that after the first time you see a https site, if you type http in or visit a http link, it will automatically upgrade you. Its a good technology, with privacy problems (see hstscookie.ca), but it also has some odd side-effects when combined with Ryan's suggestion of a site-wide redirect, in that, it will actually hide mixed content errors on your pages for some clients. For a demonstration of this, see this page.

So as a person or company interested in real https security, what do you do.

Three things.

1) Implement HSTS

2) Get listed in HTTPSeverywhere.

3) Pin your certs in browsers that allow this (See Google Chrome)