Web Security

Web Security Defending Against HTTPS Downgrade

Check out a free preview of the full Web Security course:
The "Defending Against HTTPS Downgrade" Lesson is part of the full, Web Security course featured in this preview video. Here's what you'd learn in this lesson:

Mike discusses techniques to force conntections to use HTTPS.

Get Unlimited Access Now

Transcript from the "Defending Against HTTPS Downgrade" Lesson

>> Mike North: So defenses here are that when we ask users to bookmark things, when people are building browsers and they think about autocompletes, we wanna try to push users in the direction of saving those HTTPS URLs. If you enter it securely,
>> Mike North: You don't have that plain HTTP connection that you typically do, right?

[00:00:29] You need a valid certificate to come back. When you say, I'm beginning a TLS handshake, the man-in-the-middle can't typically fake that in a way that won't raise a couple of flags. So Content Security Policy that upgrade-insecure-requests thing that we talked about earlier that'll take care of links that are peppered throughout your app, it'll upgrade them to secure links.

[00:00:52] Google for awhile now has favored HTTPS so there is an SEO incentive. To start operating primarily over a secure domain, and to make that your main domain, to make all of your ads land there instead of your plain HTTP stuff. And then for anyone watching this, you should install HTTPS Everywhere, which basically that'll try to upgrade any requests that it can.

[00:01:16] And you can even instruct it once it sees the ability to connect securely to a domain, to not allow you to be downgraded again. So there's a browser plugin for every browser that has plugins. Should try to go and install it. Don't do it right now, cuz we're playing.

[00:01:33] And this'll make it less fun for us.