Is mixing HTTP with HTTPS a problem?

Asked

Viewed 599 times

23

On my website I am using links normal HTTP, but where it contains data transaction, as in forms, for example, use HTTPS which is from a shared SSL certificate provided by my hosting server.

I don’t intend to keep it this way, soon I’ll have bought one certificado SSL, but for now the site is mixed with HTTP and HTTPS only on a few pages.

It is wrong to mix the two on a site this way?

3 answers

13


Generally speaking, it’s not a problem. Of course you have to do it right. I realize that some people don’t really know which pages should be encrypted, and they end up encrypting what’s not a secret and sending out decrypted data. That’s the problem.

There is also some difficulty if a secure page carries unsafe elements, but it does not seem to be the case, this includes iframes then be careful if the insecure page is inside a iframe contained in a secure page.

Of course you may have some specific problem in some scenario depending on what you’re doing, but it’s more the scenario, it’s not normal.

Because your plan is to encrypt everything after there are no problems getting started like this. Future versions of browsers may start indicate problems, but it does not occur now. Even this will not hinder navigation, there will only be an indication that is on an insecure page. Everything has a solution. It will only be a problem the day they force everything to be encrypted, which I doubt will happen. Still the problem won’t be mixing safe and insecure pages.

11

Yes is not recommended, and until the end of the year Chrome will not let the site be accessed without the user taking the risks and click accept insecurity as can be seen in this link, to this end a free certificate was developed called Let's Encrypt, and today almost all hosting use and with free installation, it is also possible to install on servers LINUX autonomously if you are using some virtualized server of some platform.

If you use any hosting check that the same no longer holds the certificate. More about the certificate see here

7

If you use SSL but do not use HSTS (nor HPKP) you allow an attacker to downgrade to HTTP.


Having SSL, without HSTS, is the same as nothing. You cannot turn on HSTS (nor HKPK), this will break access to HTTP pages.

The absence of this feature allows HTTPS pages to go to HTTP. The attacker can do this and completely ignore SSL.

If you are carrying script or img in HTTP and without the use of SRI and without CSP, you allow the attacker to modify the content. But, this is irrelevant, because it can already modify the whole page. Whereas the attacker does some DNS Poisoning or ARP Poisoning, for example.


If you have a secure subdomain, such as seguro.site.com, you have to hold that this uses HSTS at least.

That still has other problems. For example, you should enable "Secure" in the cookie, so that the cookie does not go to the unsafe area, and restrict it to the subdomain. Otherwise, it becomes possible to steal sessions when the user enters the insecure area. This ignores the possibility of a Session Fixation, setting a cookie in the unsafe area to be used in the safe area.


Outside privacy. Now, the provider knows which site he accessed and what information he got, by being on HTTP. If it was on HTTPS (and with HSTS Preload) only the IP would be obtained, the does not even guarantee which site was accessed.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.