39

If I have a domain, https://www.example.com. It has an SSL certificate for that domain only.

I also want to redirect people who only type example.com in their browser's address bar. Should I secure the second domain https://example.com and why, or HTTP only is enough?

I don't use a wildcard SSL certificate.

Improve this question
5
  • 1
    It's already done but my question is should I secure the non www. What is the best practice.
    – Michel
    Commented Mar 6, 2019 at 12:18
  • 1
    @DeanMeehan it's better to read and understand the question before commenting.
    – ElmoVanKielmo
    Commented Mar 7, 2019 at 6:44
  • 2
    You should use example.org, example.net or example.com for examples. Other domain names like the one you used are often registered commercial domains.
    – Martin
    Commented Mar 7, 2019 at 11:19
  • A point which has not yet been mentioned : On Chrome it will redirect you without giving any errors, so aside from the other problems mentioned there there is not an issue. On Safari if you go to the non HTTPS version of the site, it gets muddled up and will give an error saying your certificate is invalid.
    – Kyle Wardle
    Commented Mar 7, 2019 at 14:14
  • Random note: if you did have *.example.com wildcard cert, it still doesn't cover example.com (unless you include example.com as a SAN, which as I think dana alluded to, at least some CA's will either automatically do that or at least remind you)
    – Foon
    Commented Mar 7, 2019 at 15:15

5 Answers 5

Reset to default
85

If you don't secure example.com and a user visits that site, a man-in-the-middle attacker can manipulate the traffic and keep the user on example.com, where he can intercept all traffic.

It doesn't matter that your version of example.com redirects to https://www.example.com/. The attacker can change this behavior and offer a HTTP version of your site to the user.

Improve this answer
8
  • 13
    Yes. The legitimiate behavior of http://mydomain.com/ is not relevant since the attacker can modify that behavior with his man-in-the-middle attack.
    – Sjoerd
    Commented Mar 6, 2019 at 13:18
  • 4
    But the first call would still be in http before redirecting to https so the man-in-the-middle can still interfere, can't he?
    – Michel
    Commented Mar 6, 2019 at 13:20
  • 25
    @Michel you should enable HSTS to solve that. Certificates are free, no reason not to use them!
    – Josef
    Commented Mar 6, 2019 at 14:30
  • 8
    @Fax HSTS isn't fully secure if your site isn't on the preload lists, but it's not useless either, because once a client connects without being MITMed, they'll load the correct HSTS policy, and they're no longer vulnerable. Thus, an attacker must catch the client on first connection, or they've lost their opportunity.
    – Gordon Davisson
    Commented Mar 7, 2019 at 17:05
  • 2
    @GordonDavisson and further to that, getting yourself on the preload lists is dead easy - no reason not to do that, either, once you've confirmed HTTPS working. hstspreload.org
    – ArtOfCode
    Commented Mar 7, 2019 at 22:20
17

If you don't have a certificate for example.com, anyone trying to access that (without the www. part) on HTTPS will get an error, and very likely not a redirection to www.example.com. With browsers pushing HTTPS as default protocol more and more, this will become a growing issue.

Many certificate authorities allow you to add multiple domain names in one certificate request, so you can get one certificate for both example.com and www.example.com.

Improve this answer
4
  • 6
    Are "browsers pushing HTTPS as default protocol"? Does any browser use HTTPS by default when you enter just mydomain.com?
    – Sjoerd
    Commented Mar 6, 2019 at 12:12
  • 6
    @Sjoerd: Yes. Brave tries HTTPS first by default, and many users of other browsers have installed the HTTPS Everywhere extension (eff.org/https-everywhere).
    – jssblck
    Commented Mar 6, 2019 at 20:07
  • 8
    @malexdev From what I understand, HTTPS everywhere does not make your browser use HTTPS by default on all sites, despite what its name says. It simply has a whitelist of websites that are redirected to HTTPS. It does nothing to all other sites.
    – Federico Poloni
    Commented Mar 6, 2019 at 23:02
  • 3
    @FedericoPoloni EFF's HTTPS Everywhere can be set to force all connections to be made using HTTPS, even when one attempts to use HTTP. My experience is that unless one uses only "big name" sites, that mode unfortunately has a tendency to break more than it helps.
    – user
    Commented Mar 7, 2019 at 12:06
2

Yes, you should.

In your scenario, the user types the name of your domain into their browser's address bar. No protocol, no www., just example.com. Most browsers will respond by first trying to connect to http://example.com. Now an attacker has the opportunity to interfere with this request and/or the response - preventing any redirect from occurring, or redirecting the user to the wrong destination, or any other bad behaviour.

Simply supporting HTTPS on the base domain doesn't help with this, since the browser will still connect over HTTP first, and the attacker controls what happens from that point on. (Although it does have the minor advantage of providing a better experience for those rare users who type https://example.com into their browsers).

The only way to truly avoid the problem is if, when the user types example.com, the browser immediately connects over HTTPS, without waiting for a redirect. This can be achieved (in most browsers) by getting your domain onto the HSTS preload list. The requirements for adding a domain to the preload list imply that the base domain must be available over HTTPS (you can only submit the base domain for inclusion, and that's what will be checked for the first two requirements; also, the HSTS header as specified in the fourth requirement is only valid over HTTPS).

So, the answer to your question is yes - you should secure the base domain - but you should also consider fulfilling the other requirements and adding the domain to the preload list.

Improve this answer
1
1

If you have enabled SSL certificate of RapidSSL, GeoTrust, Thawte then you have no need to worry about your domain example.com because they secure both www and non www version of the domain name such as example.com & www.example.com

But yes if you need to keep www domain www.example.com as your preferred domain then you must have to redirect your non www domain example.com using 301 redirect. Same query's solution given in this topic different ssl certificate for www and non www if you are still confused.

Improve this answer
1
  • 3
    The certificate may cover both the bare domain and the www subdomain, but it doesn't actually secure both unless it's installed correctly.
    – TRiG
    Commented Mar 7, 2019 at 10:02
0

If you will be redirecting with some information in the URL to the destination domain then be ware of then there is concern for security

You can use Letsencrypt(https://certbot.eff.org/) and get a free certificate for your domain. even if there are for redirect.

Improve this answer
1
  • 3
    Please include a summary of the link in your answer. What is the security risk?
    – Sjoerd
    Commented Mar 6, 2019 at 11:30

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .