Auto-Renew Failing on HTTPS-only Server

felixf · December 6, 2018, 9:34pm

Public URLs can also be considered sensitive. Assume that there's a site containing information about topics about how to handle certain diseases. Now someone pastes a link to an article on that site somewhere (forum, email) incorrectly, i.e. without the protocol. Another user sees it, copies it into her browser's URL field and presses enter. The browser tries to connect via HTTP, and if the server accepts connections to port 80, the information that this person tries to read an article about a specific disease is send in plaintext over the internet.

If your solution to this problem is "don't allow to link to individual articles on this website", well, that's not a solution. Closing port 80, on the other hand, is a very practical solution for this problem. (In fact, it's the only solution I'm aware of which solves this problem.)

rg305 · December 6, 2018, 10:00pm

Thus the separate http / https server scenario…
If http server gets a request for any information other than acme challenges, it simply redirects them to:
httpS://whatever/url/they/requested
It can’t answer back with anything other than that.
Functional AND secure.

felixf · December 6, 2018, 10:19pm

The complete URL has still been transmitted in plaintext. A separate http / https server scenario will change exactly NOTHING about that.

rg305 · December 6, 2018, 10:28pm

And dropping port 80 changes nothing about:

The "link" is already posted in a forum...

felixf · December 6, 2018, 10:59pm

As I said: the URL is public. It’s not secret or sensitive per se. What’s sensitive is who is visiting the URL.

rg305 · December 6, 2018, 11:31pm

I’m sorry, but I really don’t understand how the who is in the link (when the link is from a forum), nor how you must drop all port 80 connections.to protect that person from obvious/senseless “exposure”.
I guess I really don’t need to understand it either.
I simply proposed a “solution”; You must weigh the pros and cons and decide on your own.

felixf · December 7, 2018, 6:28am

The who is not in the link. The sensitive information is that who accesses the link.

Anyway, I’m not using this, I was only trying to argue that there are valid use-cases where deactivating port 80 makes sense and is not in general a bad choice. It depends a lot on who your users are and what you are providing on your page.

rg305 · December 7, 2018, 6:36am

At the end of this exercise, HTTP will be dead and buried - much like FTP and TELNET, but for its’ own reasons and faults.
It served us well for many years, and for some, it is still a “necessary evil”; But its’ days are numbered.

I don’t understand how (in almost 2019) a link without protocol (like: www.domain.com) would default to HTTP in any modern browser…
That really needs to change
Just say no!
[to HTTP]

cpu · December 7, 2018, 2:32pm

I think the core of the original question has been answered and there are a handful of options for @klausson to follow up on. I don’t think more discussion about the implications of opening port 80 in this thread are likely to be fruitful so I’m going to close this thread for now and anyone that wants to continue that discussion can start a new dedicated thread.

Thanks all!