security - Is redirecting http to https a bad idea?

Question

I'm reading over this page and it says that if a site is SSL and the user tries to access it via regular http, the application should not redirect the user to https. It should just block him. Can someone verify the validity of this? It doesn't sound like a good idea, and I wonder what the real risk is of just forwarding the user to https. It seems that there is no technical reasons behind it, just that it's a good way to educate the user.

Disable HTTP access to the domain, don’t even redirect or link it to SSL. Just inform the users this website is not accessible over HTTP and they have to access it over SSL.

This is the best practice against MITM and phising attacks. This way your users will be educated that application never accessible over HTTP and when they come across to a phising or MITM attack they will know something is wrong.

One of the best ways to protect your application against MITM attacks and phising attacks is educating your users.

Answer 1

An HTTP request that includes a session ID cookie is subject to session hijacking attacks. It is important that if you do allow HTTP and redirect to HTTPS, that cookies are marked as secure.

I can't see any technical reason why HTTP needs to be completely blocked either, and many sites do forward HTTP to HTTPS. When doing this it is highly advisable to implement HTTP Strict Transport Security (HSTS) which is a web security mechanism which declares that browsers are to only use HTTPS connections.

HSTS is implemented by specifying a response header such as Strict-Transport-Security: max-age=31536000. Complying user agents will automatically turn insecure links into secure links, thereby reducing the risk of man-in-the-middle attacks. Additionally, if there is a risk that the certificate isn't secure, e.g. the root authority isn't recognised, then an error message is displayed and the response is not shown.