Handling mixed SSL sites

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
nielsene
DevNet Resident
Posts: 1834
Joined: Fri Aug 16, 2002 8:57 am
Location: Watertown, MA

Handling mixed SSL sites

Post by nielsene »

Does anyone have any experience/advice about organizing a mixed-SSL site?

Ie you have both SSL and "regular" HTTP traffic and want to lessen the percentage of pages that hit SSL. A good portion of the visitors are not "users" and will not be logging in. Everything they view should be fine to keep in the non-SSL section.

Obviously login and account creation need to be handled under the SSL protocol pages. Some of the edit profile page would also need to be protected from line-snooping. However most of the content wouldn't require SSL protection. At the same time it would be nice to be able to configure sessions to use_cookies_only and use_secure_cookies -- however at present some pages use sessions that wouldn't otherwise require SSL.

In the past I've had three SSL options: NEVER, LOGIN, ALWAYS and setup two "baseURLs" to append paths to: $baseURL and $secureURL. Under "NEVER" both are http:// (used in testing environments without SSL). Under "ALWAYS" both are https://. Under "LOGIN" base is http: and secure is https://

Then I simply build links using the appropraite base and one of the initial includes will redirect if required to change protocols.

It's worked for a few years, but I'ld be interested in hearing what other people have done.
flav
Forum Newbie
Posts: 4
Joined: Sat Sep 03, 2005 1:09 am

Post by flav »

Although I'm not answering your question, it should be noted that if you mix https and http, you
are negating the data Integrity that the SSL/TLS provides in the first place! Thus creating the potential
for a MITM/Trojan attack by allowing poisoning of non encrypted data which is delivered with the
[formerly] _secure_ data.

Here is a good blogging about the topic:
http://blogs.msdn.com/ie/archive/2005/04/20/410240.aspx

Flavio
User avatar
nielsene
DevNet Resident
Posts: 1834
Joined: Fri Aug 16, 2002 8:57 am
Location: Watertown, MA

Post by nielsene »

I'm not so sure. Many large sites use something like I describe to help handdle performance/load. Neither of the two vectors mentioned in that blog are relevant -- the login page is one of the SSL pages and I'm not mixing HTTP/S elements on any single page.
Fourtet
Forum Commoner
Posts: 29
Joined: Fri Sep 02, 2005 5:55 pm

Post by Fourtet »

I think as long as you are mixing between pages and not on the same page it's absolutely fine. It's unecessary most of the time anyway to have EVERY page on your site using SSL, look at gmail, for example - they only use SSL when logging in. I quite like your method nielsene, I think it would be easier to just use mod_rewrite but if you want to give users the option to use SSL or not that method would work well.
flav
Forum Newbie
Posts: 4
Joined: Sat Sep 03, 2005 1:09 am

Post by flav »

Perhaps I misread your post, I wasnt sure about the mixing content, and I also assumed you were saying that once you had an authenticated user, only some of the pages accessed would be HTTPS based on each pages sensitivity. Using this technique, the transmission of the password would be confidential, but if the session id is shared between the two protocols it would still be susceptible to hijacking. And of course once hijacked, the attacker would have complete access to the information protected by the HTTPS pages.

I obied by the following:
Always regenerate a new session id [session_regenerate_id ()] whenever:
a) change in privileges (such as a login) -- helps prevent session fixation/hijacking
b) Change in protocol HTTP/S -- helps prevent hijacking
Post Reply