Auto-Renew Failing on HTTPS-only Server

Issuance Tech
21

Public URLs can also be considered sensitive. Assume that there's a site containing information about topics about how to handle certain diseases. Now someone pastes a link to an article on that site somewhere (forum, email) incorrectly, i.e. without the protocol. Another user sees it, copies it into her browser's URL field and presses enter. The browser tries to connect via HTTP, and if the server accepts connections to port 80, the information that this person tries to read an article about a specific disease is send in plaintext over the internet.

If your solution to this problem is "don't allow to link to individual articles on this website", well, that's not a solution. Closing port 80, on the other hand, is a very practical solution for this problem. (In fact, it's the only solution I'm aware of which solves this problem.)

22

Thus the separate http / https server scenarioā€¦
If http server gets a request for any information other than acme challenges, it simply redirects them to:
httpS://whatever/url/they/requested
It canā€™t answer back with anything other than that.
Functional AND secure.

23

The complete URL has still been transmitted in plaintext. A separate http / https server scenario will change exactly NOTHING about that.

24

And dropping port 80 changes nothing about:

The "link" is already posted in a forum...

25

As I said: the URL is public. Itā€™s not secret or sensitive per se. Whatā€™s sensitive is who is visiting the URL.

26

Iā€™m sorry, but I really donā€™t understand how the who is in the link (when the link is from a forum), nor how you must drop all port 80 connections.to protect that person from obvious/senseless ā€œexposureā€.
I guess I really donā€™t need to understand it either.
I simply proposed a ā€œsolutionā€; You must weigh the pros and cons and decide on your own.

27

The who is not in the link. The sensitive information is that who accesses the link.

Anyway, Iā€™m not using this, I was only trying to argue that there are valid use-cases where deactivating port 80 makes sense and is not in general a bad choice. It depends a lot on who your users are and what you are providing on your page.

28

At the end of this exercise, HTTP will be dead and buried - much like FTP and TELNET, but for itsā€™ own reasons and faults.
It served us well for many years, and for some, it is still a ā€œnecessary evilā€; But itsā€™ days are numbered.

I donā€™t understand how (in almost 2019) a link without protocol (like: www.domain.com) would default to HTTP in any modern browserā€¦
That really needs to change :frowning:
Just say no!
[to HTTP]

1 Like
29

I think the core of the original question has been answered and there are a handful of options for @klausson to follow up on. I donā€™t think more discussion about the implications of opening port 80 in this thread are likely to be fruitful so Iā€™m going to close this thread for now and anyone that wants to continue that discussion can start a new dedicated thread.

Thanks all!