Path: ...!news.roellig-ltd.de!open-news-network.org!weretis.net!feeder8.news.weretis.net!reader5.news.weretis.net!news.solani.org!.POSTED!not-for-mail From: Mild Shock Newsgroups: comp.lang.prolog Subject: Re: comp.lang.prolog Frequently Asked Questions Date: Fri, 20 Sep 2024 14:04:40 +0200 Message-ID: References: <18c37160924.070003@logic.at> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Injection-Date: Fri, 20 Sep 2024 12:04:38 -0000 (UTC) Injection-Info: solani.org; logging-data="449064"; mail-complaints-to="abuse@news.solani.org" User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 SeaMonkey/2.53.19 Cancel-Lock: sha1:radEC40lpx8f/7dr50oQNE68rvw= In-Reply-To: <18c37160924.070003@logic.at> X-User-ID: eJwNwokRwCAMA7CVIMF5xsGA9x+hPQkeM06uQCzoVzXokpnh0Vgd3HqdWVCerA2nBsMdyOLTjMHF2bfpfT9QYxWA Bytes: 2701 Lines: 45 Since spoofing GIT content is so easy and non-sandboxed Prolog code is a rather sensitive thing, I guess this is why bother with HTTPS and a HSTS (HTTP Strict Transport Security) policy could be important. SWI-Prolog packs are non-sandboxed, unlike SWISH notebooks, right? Here is what ChatGPT says: An HTTP to HTTPS redirect vulnerability occurs when an insecure HTTP connection is used to redirect users to a secure HTTPS connection, but the initial HTTP request is not adequately protected. Here’s how this vulnerability might be exploited: - Man-in-the-Middle Attack (MitM): Since HTTP is unencrypted, an attacker intercepting the initial HTTP request could manipulate the redirection process before the user reaches the secure HTTPS site. This could involve: * Redirecting the user to a malicious site that looks identical to the intended destination. * Modifying the content in transit, such as injecting malicious scripts. - Downgrade Attacks: Attackers could attempt to keep users on an HTTP connection instead of redirecting them to HTTPS, leaving communication vulnerable to eavesdropping or tampering. The severity of an HTTP to HTTPS redirect vulnerability can vary depending on the context, but it is generally considered moderate to high, depending on the following factors: - Moderate: For non-sensitive sites where the main risk is traffic manipulation (e.g., content modification or ads injection) without significant consequences. - High: For sites handling sensitive user data (e.g., financial services, medical information), especially when users are likely to connect over insecure networks like public Wi-Fi.