Article <vcjocm$dmh8$1@solani.org>

Deutsch English Français Italiano
<vcjocm$dmh8$1@solani.org>

View for Bookmarking (what is this?)
Look up another Usenet article
Path: ...!news.roellig-ltd.de!open-news-network.org!weretis.net!feeder8.news.weretis.net!reader5.news.weretis.net!news.solani.org!.POSTED!not-for-mail
From: Mild Shock <janburse@fastmail.fm>
Newsgroups: comp.lang.prolog
Subject: Re: comp.lang.prolog Frequently Asked Questions
Date: Fri, 20 Sep 2024 14:04:40 +0200
Message-ID: <vcjocm$dmh8$1@solani.org>
References: <18c37160924.070003@logic.at>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Date: Fri, 20 Sep 2024 12:04:38 -0000 (UTC)
Injection-Info: solani.org;
	logging-data="449064"; mail-complaints-to="abuse@news.solani.org"
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101
 Firefox/91.0 SeaMonkey/2.53.19
Cancel-Lock: sha1:radEC40lpx8f/7dr50oQNE68rvw=
In-Reply-To: <18c37160924.070003@logic.at>
X-User-ID: eJwNwokRwCAMA7CVIMF5xsGA9x+hPQkeM06uQCzoVzXokpnh0Vgd3HqdWVCerA2nBsMdyOLTjMHF2bfpfT9QYxWA
Bytes: 2701
Lines: 45

Since spoofing GIT content is so easy and
non-sandboxed Prolog code is a rather sensitive
thing, I guess this is why bother with HTTPS

and a HSTS (HTTP Strict Transport Security)
policy could be important. SWI-Prolog packs are
non-sandboxed, unlike SWISH notebooks, right?

Here is what ChatGPT says:

An HTTP to HTTPS redirect vulnerability occurs
when an insecure HTTP connection is used to
redirect users to a secure HTTPS connection,
but the initial HTTP request is not adequately
protected. Here’s how this vulnerability might be exploited:

- Man-in-the-Middle Attack (MitM): Since HTTP is
unencrypted, an attacker intercepting the
initial HTTP request could manipulate the
redirection process before the user reaches
the secure HTTPS site. This could involve:

* Redirecting the user to a malicious site that
looks identical to the intended destination.
* Modifying the content in transit, such as
injecting malicious scripts.

- Downgrade Attacks: Attackers could attempt to
keep users on an HTTP connection instead of
redirecting them to HTTPS, leaving communication
vulnerable to eavesdropping or tampering.

The severity of an HTTP to HTTPS redirect
vulnerability can vary depending on the
context, but it is generally considered
moderate to high, depending on the following factors:

- Moderate: For non-sensitive sites where the
main risk is traffic manipulation (e.g., content
modification or ads injection) without
significant consequences.

- High: For sites handling sensitive user data
(e.g., financial services, medical information),
especially when users are likely to connect
over insecure networks like public Wi-Fi.