Spent the day fighting with an application that wants to use both HTTP and HTTPS. Sometimes.
It's not a horrid idea - a clear channel for normal traffic, a secure channel for sensitive traffic. But it gets more complicated. . . .
Some guidelines, subject to revision after I've gotten some sleep.
When the user sends sensitive information (normally by filling out a form), the secure channel should be used - we want to make sure that everything gets encrypted before it is sent over the wire.
When the user receives sensitive information (for example, if the form above is preloaded with sensitive data), the secure channel should be used. The web has no facilities for using secure one direction and unsecure the other, so we need ensure that the initial request from the client comes in on the secure channel.
Page sub elements (those bits the browser retrieves without user intervention to render the page) should use the same channel as the page source. It's a bit disappointing to waste the secure channel on traffic that has no sensitive information at all, but the browsers generally can't tell if the choice is dangerous, nor can most users. Using the same channel as the initial request gives the best odds of delivering the intended user experience.
If a request comes in on an unexpected channel (the user asks for their profile in the clear, or sends a credit card number in the clear), either service the request anyway, or forbid it, as appropriate. Don't redirect to the appropriate channel - find the link in the application, and set it to use the proper channel.
Forms with sensitive data use action POST, not GET. Keep those credit card numbers out of the Referer headers of the subsequent requests.
You might reasonably wish to configure your service in different modes (http traffic when the network itself is secure, https for security, perhaps a mixed mode to improve performance without compromising the sensitive data). The answer here is a layer of abstraction - the above rules determine whether the secure or clear channel is used, but the configuration determines which protocol is associated with which channel.
January 29, 2003 11:22 PM
| TrackBack