HTTPS redirect test does not fail when redirecting from HTTPS to HTTP on other domain

internetstandards / Internet.nl

Internet standards compliance test suite

https://internet.nl

178 stars 38 forks source link

HTTPS redirect test does not fail when redirecting from HTTPS to HTTP on other domain #1521

Open WKobes opened 1 month ago

WKobes commented 1 month ago

The HTTPS redirect test explanation gives two examples for valid redirection:

http://example.nl ⇒ https://example.nl ⇒ https://www.example.nl

http://www.example.nl ⇒ https://www.example.nl

However, this test succeeds (on both apex and www subdomain) also when having a redirect scheme as follows:

http://example.nl ⇒ https://example.nl ⇒ http://www.example.nl ⇒ https://www.example.nl

This test should fail on the apex domain (www. domain is fine in this case), since it is downgrading from https to http.

The example is redirection to a www subdomain, but of course it should fail in any downgrade redirection, eg:

http://example.nl ⇒ https://example.nl ⇒ http://example.com

WKobes commented 1 month ago

This behaviour was added per #555

This is partly intended when reading the test explanation:

Note that this subtest only tests if the given domain correctly redirects from HTTP to HTTPS. An eventual further redirect to a different domain (including a subdomain of the tested domain) is not tested. You could start a separate test to test such a domain that is being redirected to.

However, in the case of http > https > http > https both tests will in fact succeed and thus this redirection scheme will not be noticed by using internet.nl. Yet, this redirection scheme is less secure than http > https > https.

I would propose we actually do look at the (one) further redirect, but limit ourselves to whether the redirect is done towards https as well. Everything else should be tested in the test of the destination domain itself (+1 for issue #270)

bwbroersma commented 1 month ago

The reasoning in the http->https same domain upgrade is HSTS. So actually your example:

http://example.nl/ ⇒ https://example.nl/ ⇒ http://www.example.nl/ ⇒ https://www.example.nl/

Is not a problem in terms setting the HSTS, since this is only done on HTTPS connections and should happen for all subdomains. Of course it is better to not have this hop, since it could be used for MITM and because of performance reasons.

However if you would create a table:

Redirects when visiting apex	no HSTS cache	only HSTS cache `www`	only HSTS cache apex*	both in HSTS cache
http apex=>https apex=>http www=>https www	:detective: :detective:	:detective:	:detective:	✅
http apex=>https apex=>https www	:detective:	:detective:	✅	✅

:detective: = MITM opportunity with stripssl ✅ = no MITM option * = this case is very unlikely, because of the redirects

So in effective security there is probably a near-to-zero difference.

bwbroersma commented 1 month ago

After an offline discussion I agree with @WKobes Internet.nl could look at the outgoing redirect schema of the (last) same-domain headers. Although it won't effectively do something, it is a bad practice to redirect to insecure schemas.