All geek questions in one place

Can https go back to http and https security

I am considering installing SSL / TLS for my domain. I am worried about two questions:

  • Is there any scenario where an https connection can fall back to http? Thus, for example, if my ajax looks something like this:

    $.post("https://foo.com", function(){ });

    Is there any chance this could change to

     $.post("http://foo.com", function(){ });

    and even if that happens, my domain will remain available at http://foo.com ?

  • Further, I read in detail about the use of SSL / TLS and from what I read, it seems pretty accurate to assume that if I turned on this function and even if I send the user credentials in plain text, secure (There would be salt encryption and that's it on the server, of course). How true is this and will create a hash on the client and then send it via https more secure?

Refresh . If sending plaintext over SSL is safe enough, then what's the point of using things like cnonce? Isn't that an extra overhead for a client?

+1
source share
1 answer

  • No, HTTPS never returns to HTTP automatically. The user must take deliberate action. If you simply go to a web page by putting its URL in the address bar, this is easy; to submit the form is more difficult.

  • Yes, sending plain text over SSL is great. In fact, sending a hashed password does not really increase security - if someone manages to sniff a connection and get a hashed password, all they need to enter the site. This has one small advantage: if the user uses the same password on several sites, studying the hashed password for one site does not help them get to another site that uses a different (or not) hash. And it is hardly possible to send salted hashes, as the client does not know the salt.

Cnonce adds an extra layer of protection. If someone somehow manages to crack SSL encryption, cnonce will not allow them to get a useful password from him. This basically concerns what I did above about why sending a hashed password doesn't help: you need something that changes from session to session, and cnonce provides this.

See https://security.stackexchange.com/questions/3001/what-is-the-use-of-a-client-nonce

+1
source

Source: https://habr.com/ru/post/1493752/

More articles:


All Articles