Securing your internet subscription with https

Question

Securing your internet subscription with https

I publish website URLs that allow users of my web application to subscribe to various calendars. I understand that applications that recognize website URLs will be the default for http, but I would like to provide file transfer using https. The following apache rewrite rule works, but is this a suitable solution?

RewriteEngine On RewriteCond %{HTTPS} !=on RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [R,L]

Yes, everything in this domain should be served through https. I know that I can replace webcal with https, but then I will lose the advantage of a URI web scheme (i.e. Simple Subscription). I saw some mention of webcams on the Internet, but there is little information and Apple iCal does not like it.

I plan to use basic authentication with these calendars. Is there a problem with making a request over http first and then redirecting to https?

+4

https apache icalendar

Jez hailwood Nov 04 '10 at 10:08

source share

1 answer

Bruno · Accepted Answer · 2010-11-04T11:01:22+0000

Yes, there may be a problem: the original request will be sent over HTTP, including headers, etc.

This is not necessarily a problem if the original request does not include credentials, and then the response to the HTTP Basic authentication call is sent only in the second request, which will be associated with the HTTPS URL. However, it is likely that some clients may use pre-authentication, in which case credentials will be sent (effectively in clear) in the first, normal HTTP request.

As I said in this answer , redirecting from HTTP to HTTPS does not always provide the same security as we would like.

(As for the webcal:// URL, I think some clients support the webcals:// scheme for the HTTPS equivalent.)

Securing your internet subscription with https

More articles: